WordPress Cherry < 1.2.7 - Unauthenticated Arbitrary File Upload and Download

What is the "WordPress Cherry < 1.2.7 - Unauthenticated Arbitrary File Upload and Download?"

The "WordPress Cherry < 1.2.7 - Unauthenticated Arbitrary File Upload and Download" module is designed to detect a vulnerability in the WordPress plugin Cherry version 1.2.7 and below. This vulnerability allows an attacker to upload files directly to the server without authentication. The severity of this vulnerability is classified as high.

Impact

If exploited, this vulnerability can lead to unauthorized access to sensitive files on the server. An attacker could potentially upload malicious files or backdoors, compromising the security and integrity of the WordPress website.

How the module works?

The module sends an HTTP GET request to the vulnerable endpoint:

/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php

The module then checks for specific words in the response body, such as "DB_NAME" and "DB_PASSWORD", to confirm the presence of sensitive information. Additionally, it verifies that the HTTP response status is 200.

If both conditions are met, the module reports a vulnerability, indicating that the WordPress Cherry plugin is susceptible to unauthenticated arbitrary file upload and download.