Cherry Plugin < 1.2.7 - Arbitrary File Retrieval and File Upload

What is the "Cherry Plugin < 1.2.7 - Arbitrary File Retrieval and File Upload?" module?

The "Cherry Plugin < 1.2.7 - Arbitrary File Retrieval and File Upload" module is a test case designed to detect a vulnerability in the Cherry Plugin for WordPress. This plugin version has a high severity vulnerability that allows unauthenticated file upload and download, potentially leading to unauthorized access and data leakage.

The module was authored by 0x_Akoko and is classified as CWE-22. The CVSS score for this vulnerability is 8.6, indicating a significant security risk.

Impact

If exploited, this vulnerability in the Cherry Plugin < 1.2.7 can allow attackers to upload and download arbitrary files from the affected WordPress site. This can lead to unauthorized access to sensitive information, such as database credentials stored in the wp-config.php file.

How does the module work?

The module sends an HTTP GET request to the vulnerable endpoint:

/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php

The module then applies two matching conditions:

- The response body must contain the words "DB_NAME" and "DB_PASSWORD" to indicate the presence of database credentials. - The response status code must be 200, indicating a successful request.

If both conditions are met, the module reports the vulnerability, indicating that the Cherry Plugin < 1.2.7 is susceptible to arbitrary file retrieval and file upload.