[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] New exploit for new vulnerability in WordPress Plugin + tutorial

Hi guys.


I foun?t a new vulnerabiliti in a wordpress plugin called: ?Direct Download
for WooCommerce?.


This vulnerability allow you make an Remote LFI download, so, we can
download any in the server where we?re running this plugin, I foun?t this
vulnerability the last week and I reported this to Kameleon but i don?t know
if this bug is partched right now in a new versión.


I?ve been written an exploit to this plugin in Python. This exploit allow


-          Test if the plugin exists in the server.

-          Download any file from the server where the WordPress plugin is

-         Select any option by default or make your own personalized


I published this exploit in my website today, here you?ve got the direct



Thanks for all!


-------- UPDATE --------

To see an completly tutorial about how to use this exploit you?ve got it in:



Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/