When it comes to collecting data on WordPress plugin vulnerabilities one of the things that sets us apart is that we check over reports before adding them to our data set, doing that is valuable enough that the company behind the Wordfence Security plugin lies and claims the data they use has been “confirmed/validated” when it hasn’t (that is far from the only thing they lie about). Doing that often leads to us finding that reports of claimed vulnerabilities are false or that vulnerabilities that are claimed to have been fixed, haven’t been (incorrectly telling people that vulnerabilities have been fixed severely limits the usefulness of other data sources). Today it lead to us finding a vulnerability in the plugin Ad Manager by WD.
Someone going by the handle 41!kh4224rDz disclosed that the current version of the plugin has an arbitrary file viewing vulnerability. When we tested that out we found that after trying the proof of concept, which allowed viewing the contents of the WordPress configuration file, wp-config.php, that the set up screen for WordPress would show when trying to access any page of the website. That would indicate that the WordPress configuration file wasn’t there anymore. That turns out to because right after the last line of code that causes the arbitrary file viewing vulnerability, the same file being viewed is passed to the unlink() function, which deletes it:
Proof of Concept
The following proof of concept will delete a file named “test.txt” in the root directory of the website.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/edit.php?post_type=wd_ads_ads&export=export_csv&path=../test.txt