Since no authentication or authorisation checks for direct access to the jqueryFileTree.php are made, the vulnerability allows for browsing the file system on a host out of an unauthenticated context. Even though no file content can be exfiltrated this way, “hidden” files e.g. in the web directories could easily enumerated this way. E.g. this could be abused for a “file path/name leakage” in another exploitation chain. Edit (WPScanTeam): - The issue was first discovered and reported to the authors by ambulong in 2017 - https://github.com/A5hleyRich/delightful-downloads/issues/165, but was never fixed. - The issue has been escalated to WP plugin team on June 9th, 2020.
curl --data “dir=/etc/” http://example.com/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php
CPE | Name | Operator | Version |
---|---|---|---|
delightful-downloads | eq | * |