Delightful Downloads <= 1.6.6 - Unauthenticated Path Traversal



Description
Since no authentication or authorisation checks for direct access to the jqueryFileTree.php are made, the vulnerability allows for browsing the file system on a host out of an unauthenticated context. Even though no file content can be exfiltrated this way, "hidden" files e.g. in the web directories could easily enumerated this way. E.g. this could be abused for a "file path/name leakage" in another exploitation chain.


Edit (WPScanTeam):
- The issue was first discovered and reported to the authors by ambulong in 2017 - https://github.com/A5hleyRich/delightful-downloads/issues/165, but was never fixed.
- The issue has been escalated to WP plugin team on June 9th, 2020.
Proof of Concept
curl --data "dir=/etc/" http://example.com/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php

Affects Plugin

no known fix
- plugin closed

References

CVE 2017-1000170
URL https://github.com/A5hleyRich/delightful-downloads/issues/165

Classification

Type TRAVERSAL
OWASP Top 10 A1: Injection
CWE CWE-22

Miscellaneous

Original Researcher ambulong (in 2017), Florian Hauser (rediscovery in 2020)
Submitter Twitter frycos
Views 528
Verified Yes
WPVDB ID 10262

Timeline

Publicly Published 2017-05-11 (about 3 years ago)
Added 2020-06-10 (about 1 month ago)
Last Updated 2020-06-11 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin