StoreEngine WordPress Plugin Path Traversal Vulnerability Allowing Arbitrary File Download

A path traversal vulnerability has been identified in the StoreEngine WordPress eCommerce Plugin, specifically in versions through 1.5.0. The issue arises in the file_download() function within the CSV Import/Export addon, which must be enabled by an administrator. This vulnerability allows authenticated users with Subscriber-level access and above to download arbitrary files from the server, including sensitive WordPress configuration files and other critical system files. The vulnerability is exploited by manipulating the filename parameter to traverse directories and access restricted files.

Impact

Exploitation of this vulnerability allows for arbitrary file downloads, including sensitive WordPress files such as wp-config.php, which contains database credentials and other critical information.

Reproduction

To reproduce this vulnerability, first ensure that the StoreEngine CSV Import/Export addon is activated. Then, log in as an authenticated user with Subscriber-level access or higher. Intercept a request to the 'storeengine_csv/file_download' action and modify it to include a path traversal payload, such as '../../../../../wp-config.php', to download the WordPress configuration file.

Remediation

Users are advised to update the StoreEngine WordPress Plugin to version 1.5.1 or later, where this vulnerability has been patched.