WordPress Shared Files Plugin Path Traversal Vulnerability Allowing Arbitrary File Download
Vulnerability
A path traversal vulnerability has been identified in the WordPress Shared Files plugin, affecting versions prior to 1.7.58. This vulnerability allows users with a minimum role of Contributor to download any file from the web server, including sensitive files like wp-config.php.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially including configuration files or other critical data.
Reproduction
To reproduce this vulnerability, log in as a Contributor or a user with similar permissions. Create a new shared file and intercept the POST request to wp-admin/post.php. Modify the '_sf_file_uploaded_file' parameter to include a path traversal sequence that points to the wp-config.php file. After saving the post, an admin user can publish it and access the public download link, which will trigger the download of wp-config.php.
Remediation
Users are advised to update the Shared Files WordPress plugin to version 1.7.58 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.