The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.7.1 via the template_redirect() function. The plugin registers 'hippoo_serve' as a WordPress query variable and uses it to serve PWA files from the pwa/ directory. In vulnerable versions, the user-supplied value is concatenated directly into a filesystem path without any sanitization or directory confinement check, then passed to readfile(). This allows unauthenticated attackers to read arbitrary files on the server by injecting directory traversal sequences (../).
登录后查看神龙缓存的 POC 文件快照
登录查看