CVE-2015-5471
published 2016-01-12CVE-2015-5471: Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary…
PriorityP275medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
32.71%
98.1th percentile
Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| swim_team_project | swim_team | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress↗
- →Monitor HTTP GET requests to /wp-content/plugins/wp-swimteam/include/user/download.php with a 'file' parameter containing absolute paths (e.g., /etc/passwd). The endpoint is unauthenticated and does not sanitize the 'file', 'filename', or 'contenttype' parameters. ↗
- →Alert on query strings containing 'transient=1' and 'abspath=' alongside a 'file=' parameter pointing to system paths in requests to the wp-swimteam download.php endpoint. ↗
- →Use the Google dork inurl:"/wp-content/plugins/wp-swimteam" to identify exposed WordPress instances running the vulnerable plugin. ↗
- →Responses containing the pattern 'root:[x*]:0:0' in the body of a 200 OK response to the download.php endpoint confirm successful exploitation. ↗
- ·The vulnerability exists in Swim Team plugin version 1.44.10777 only; version 1.45beta3 and later include a fix. Detections should be scoped to installations running the vulnerable version. ↗
- ·The 'file' parameter value is URL-decoded before being passed to fopen(), so URL-encoded path traversal sequences (e.g., %2F) may bypass naive string-matching detections. ↗
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ggwx-f7rc-cqh9: Absolute path traversal vulnerability in include/user/download
ghsa_unreviewed·2022-05-17
CVE-2015-5471 [MEDIUM] CWE-22 GHSA-ggwx-f7rc-cqh9: Absolute path traversal vulnerability in include/user/download
Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.
VulnCheck
swim_team_project swim_team Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2015·CVSS 5.3
CVE-2015-5471 [MEDIUM] swim_team_project swim_team Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
swim_team_project swim_team Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.
Affected: swim_team_project swim_team
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2015-5471
No detection rules found.
Exploit-DB
WordPress Plugin Swim Team 1.44.10777 - Arbitrary File Download
exploitdb·2015-07-13
CVE-2015-5471 WordPress Plugin Swim Team 1.44.10777 - Arbitrary File Download
WordPress Plugin Swim Team 1.44.10777 - Arbitrary File Download
---
Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:
50 $file = urldecode($args['file']) ;
51 $fh = fo
Nuclei
Swim Team <= v1.44.10777 - Local File Inclusion
nuclei·CVSS 5.3
CVE-2015-5471 [MEDIUM] Swim Team <= v1.44.10777 - Local File Inclusion
Swim Team <= v1.44.10777 - Local File Inclusion
The program /wp-swimteam/include/user/download.php allows unauthenticated attackers to retrieve arbitrary files from the system.
Template:
id: CVE-2015-5471
info:
name: Swim Team <= v1.44.10777 - Local File Inclusion
author: 0x_Akoko
severity: medium
description: The program /wp-swimteam/include/user/download.php allows unauthenticated attackers to retrieve arbitrary files from the system.
impact: |
An attacker can exploit this vulnerability to read sensitive information from the server, such as database credentials, and potentially execute arbitrary code.
remediation: Upgrade to Swim Team version 1.45 or newer.
reference:
- https://wpscan.com/vulnerability/b00d9dda-721d-4204-8995-093f695c3568
- http://www.vapid.dhs.org/advisory.php?v=134
http://michaelwalsh.org/blog/2015/07/wp-swimteam-v1-45-beta-3-now-available/http://packetstormsecurity.com/files/132653/WordPress-WP-SwimTeam-1.44.10777-Arbitrary-File-Download.htmlhttp://www.securityfocus.com/bid/75600http://www.vapid.dhs.org/advisory.php?v=134https://wordpress.org/support/topic/security-vulnerability-6https://wpvulndb.com/vulnerabilities/8071http://michaelwalsh.org/blog/2015/07/wp-swimteam-v1-45-beta-3-now-available/http://packetstormsecurity.com/files/132653/WordPress-WP-SwimTeam-1.44.10777-Arbitrary-File-Download.htmlhttp://www.securityfocus.com/bid/75600http://www.vapid.dhs.org/advisory.php?v=134https://wordpress.org/support/topic/security-vulnerability-6https://wpvulndb.com/vulnerabilities/8071
2016-01-12
Published
Exploited in the wild