Frontend File Manager < 22.7 – Editor+ Arbitrary File Download | CVE 2023-5105 | Plugin Vulnerabilities

Description

The plugin has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as `wp-config.php`

Proof of Concept

1) Create new post with this shortcode - [ffmwp]
2) Go to new post and upload any file
3) After that go to main page of plugin for users http://your_site/wordpress/wp-admin/edit.php?post_type=wpfm-files
4) Click to "Edit" button
5) Change wpfm_dir_path and wpfm_file_url to /var/www/html/wordpress/wp-config.php
6) Go back to the main page http://your_site/wordpress/wp-admin/edit.php?post_type=wpfm-files and click "Download"

Affects Plugins

nmedia-user-file-uploader

Fixed in 22.7

References

CVE

URL

https://research.cleantalk.org/cve-2023-5105-frontend-file-manager-plugin-path-traversal-to-full-control-poc

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

d40c7108-bad6-4ed3-8539-35c0f57e62cc

Timeline

Publicly Published

2023-11-13 (about 6 months ago)

Added

2023-11-13 (about 6 months ago)

Last Updated

2023-11-29 (about 5 months ago)

Other

Published

Title

Published

2020-05-16

Title

Simple File List < 4.2.8 - Authenticated Arbitrary File Deletion

Published

2022-10-14

Title

WP All Import < 3.6.9 - Admin+ Directory traversal via file upload

Published

2017-02-15

Title

Posts In Page < 1.3.0 - Directory Traversal

Published

2023-09-26

Title

Welcart e-Commerce < 2.8.22 - Author+ Path Traversal

Published

2017-09-29

Title

Insert Pages < 3.2.4 - Directory Traversal