CVE-2014-9014
published 2019-11-06CVE-2014-9014: Directory traversal vulnerability in the ajaxinit function in wpmarketplace/libs/cart.php in the WP Marketplace plugin before 2.4.1 for WordPress allows remote…
PriorityP339medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EXPLOIT
EPSS
11.90%
95.6th percentile
Directory traversal vulnerability in the ajaxinit function in wpmarketplace/libs/cart.php in the WP Marketplace plugin before 2.4.1 for WordPress allows remote authenticated users to download arbitrary files via a .. (dot dot) in the file parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpmarketplace_project | wpmarketplace | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)
exploitdb·2015-03-25
CVE-2014-9014 WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)
WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)
---
#!/usr/bin/python
#
# Exploit Name: WP Marketplace 2.4.0 Remote Command Execution
#
# Vulnerability discovered by Kacper Szurek (http://security.szurek.pl)
#
# Exploit written by Claudio Viviani
#
#
#
# --------------------------------------------------------------------
#
# The vulnerable function is located on "wpmarketplace/libs/cart.php" file:
#
# function ajaxinit(){
# if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
# if(function_exists($_POST['execute']))
# call_user_func($_POST['execute'],$_POST);
# else
# echo __("function not defined!","wpmarketplace");
# die();
# }
#}
#
# Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook).
# wpmp_pp_ajax_call() call functions
Exploit-DB
WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download
exploitdb·2015-03-22·CVSS 8.8
CVE-2014-9014 [HIGH] WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download
WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download
---
# Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download
# Date: 26-10-2014
# Software Link: https://wordpress.org/plugins/wpmarketplace/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9013 and CVE-2014-9014
1. Description
Anyone can run user defined function because of call_user_func.
File: wpmarketplace\libs\cart.php
function ajaxinit(){
if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
if(function_exists($_POST['execute']))
call_user_func($_POST['execute'],$_POST);
else
echo __("function not defined!","wpmarketplace");
die();
}
}
http://security.szurek.pl/wp-marketplace-240-arbitrary-file-do
No writeups or analysis indexed.
2019-11-06
Published