lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Jan 2017 15:17:13 +0100
From: "Diego" <>
To: <>
Subject: [FD] New exploit for new vulnerability in WordPress Plugin +

Hi guys.


I foun’t a new vulnerabiliti in a wordpress plugin called: “Direct Download
for WooCommerce”.


This vulnerability allow you make an Remote LFI download, so, we can
download any in the server where we’re running this plugin, I foun’t this
vulnerability the last week and I reported this to Kameleon but i don’t know
if this bug is partched right now in a new versión.


I’ve been written an exploit to this plugin in Python. This exploit allow


-          Test if the plugin exists in the server.

-          Download any file from the server where the WordPress plugin is

-         Select any option by default or make your own personalized


I published this exploit in my website today, here you’ve got the direct


Thanks for all!


-------- UPDATE --------

To see an completly tutorial about how to use this exploit you’ve got it in:


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists