Frontend File Manager < 22.7 – Editor+ Arbitrary File Download | CVE 2023-5105 | Plugin Vulnerabilities

Description

The plugin has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as `wp-config.php`

Proof of Concept

1) Create new post with this shortcode - [ffmwp]
2) Go to new post and upload any file
3) After that go to main page of plugin for users http://your_site/wordpress/wp-admin/edit.php?post_type=wpfm-files
4) Click to "Edit" button
5) Change wpfm_dir_path and wpfm_file_url to /var/www/html/wordpress/wp-config.php
6) Go back to the main page http://your_site/wordpress/wp-admin/edit.php?post_type=wpfm-files and click "Download"

Affects Plugins

nmedia-user-file-uploader

Fixed in 22.7

References

CVE

URL

https://research.cleantalk.org/cve-2023-5105-frontend-file-manager-plugin-path-traversal-to-full-control-poc

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

d40c7108-bad6-4ed3-8539-35c0f57e62cc

Timeline

Publicly Published

2023-11-13 (about 2 years ago)

Added

2023-11-13 (about 2 years ago)

Last Updated

2023-11-29 (about 2 years ago)

Other

Published

Title

Published

2017-09-29

Title

Insert Pages < 3.2.4 - Directory Traversal

Published

2023-05-15

Title

MW WP Form < 4.4.3 - Unauthenticated Path Traversal

Published

2021-07-05

Title

Haxcan <= 1.0.0 - Arbitrary File Access

Published

2021-02-08

Title

Backup by Supsystic <= 2.3.9 - Authenticated Arbitrary File Download and Deletion

Published

2023-03-22

Title

Pricing Tables For WPBakery Page Builder < 3.0 - Subscriber+ LFI