wordpress-affiliatewp-log: WordPress Plugin "AffiliateWP -- Allowed Products" Log Disclosure

漏洞描述

PoC代码[已公开]

id: wordpress-affiliatewp-log

info:
  name: WordPress Plugin "AffiliateWP -- Allowed Products" Log Disclosure
  author: dhiyaneshDK
  severity: low
  description: Exposed debug log in AffiliateWP Wordpress Plugin
  metadata:
    max-request: 1
  tags: wordpress,log,plugin,vuln

http:
  - method: GET
    path:
      - '{{BaseURL}}/wp-content/uploads/affwp-debug.log'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'Referral could not be retrieved'
          - 'Affiliate CSV'

      - type: word
        words:
          - 'text/plain'
        part: header

      - type: status
        status:
          - 200
# digest: 4a0a004730450220495c4c7576c578b12a44dca3eaff6663d6ba2a01298e5f8a47381189d6619cab022100d02003a8a316cd3d6ca21502e8dbff5ed3b827deae8f014579a94fff123b6c83:922c64590222798bb761d5b6d8e72950

相关漏洞推荐

• WordPress Kognetiks Chatbot for WordPress <= 2.0.0 任意文件上传漏洞
• WordPress Verbalize WP 存在任意文件上传漏洞（CVE-2024-49668）
• POC CVE-2021-4374: WordPress Automatic Plugin - Unauthenticated Options Change
• POC CVE-2024-8852: All-in-One WP Migration < 7.87 - Unauthenticated Information Disclosure
• POC CVE-2025-11749: WordPress AI Engine Plugin - Token Exposure
• WordPress WooCommerce Designer Pro 插件 /wp-admin/admin-ajax.php wcdp_save_canvas_design_ajax 文件上传漏洞（CVE-2025-6440）
• POC CVE-2025-4302: Stop User Enumeration WordPress plugin - Authentication Bypass
• POC generic-php-files: Generic PHP Backup Information Disclosure
• WordPress Google for WooCommerce /wp-content/plugins/google-listings-and-ads/vendor/googleads/google-ads-php/scripts/print_php_information.php 信息泄露漏洞（CVE-2024-10486）
• WordPress Events Manager /wp-admin/admin-ajax.php SQL 注入漏洞（CVE-2025-6970）
• wordpress /wp-json/wp/v2/users 信息泄露漏洞
• （CVE-2024-6690）WordPress插件wccp-pro开放重定向漏洞
• WordPress plugin WP JobHunt 跨站脚本漏洞