Publicly Released Advisories
This Exploits some filters were missing in the view templates where dynamic content was being passed allowing for stored XSS which could be leveraged to steal administrative sessions. This issue arose because XSS Filters weren't enabled consistently in the framework.
WordPress Plugin Membership Simplified v1.58 allows for download of files without authentication. This allowed for download of configuration files. The issue was in the download_file parameter which lacked a restriction of files and folders to use.
RCE on Multiple WP Plugins
A number of plugins contained an RCE based on the mode they did file uploads; this script lead to multiple CVE's as listed below for plugins affected:
1. Zen App Mobile Native <=3.0 (CVE-2017-6104)
2. WordPress Plugin webapp-builder v2.0 (CVE-2017-1002002)
3. WordPress Plugin wp2android-turn-wp-site-into-android-app v1.1.4 (CVE-2017-1002003)
4. WordPress Plugin mobile-app-builder-by-wappress v1.05 (CVE-2017-1002001)
5. WordPress Plugin mobile-friendly-app-builder-by-easytouch v3.0 (CVE-2017-1002000)
WordPress Aspose Cloud eBook Generator allows for download of files without authentication.
The plugin contains a feature to download generated e-books.
This feature inadvertently enabled the retrieval of configuration files, highlighting a specific concern in the context of the file parameter.
Within the code of the
aspose_posts_exporter_download.php file, a deficiency became evident as it lacked appropriate constraints on permissible files and folders for utilization allowing for critical configuration files to be downloaded after a directory traversal which escalates the attack beyond the application itself to the backend database.
RCE on WP User Frontend
WP User Frontend Plugin
which is a membership plugin was found to lack filters in how it uploaded files via the
wpuf_file paramter; this allowed a user to successfully upload an executable file on the backend and call the web shell via the media folders. The issue affected plugins with version < 2.3.11
The CVE's below were clustered as they are over a decade old and wouldn't be in use anywhere but exploit code is relevant:
1. Apache Byte Range Server DoS (CVE-2011-3192)
2. LibLime Koha <= 4.2 – Local File Inclusion Vulnerability (CVE-2011-4715)