@sterndata Remove this topic if that’s the case. However, this should be fixed.
Hi all,
As posted in the recent thread mentioning this: https://wordpress.org/support/topic/path-traversal-lead-to-arbitrary-file-reading/#post-13374155
Hi,
This plugin is intentional in how it works – it allows accessing any file on the server by design.
It should not be used by untrusted users on a site.
The security report is nothing more than missing the fact there’s a link on the page that goes to that exact place (so no URL modifications required).
If it’s being used on a server with untrusted users, there’s an option in the plugin settings to lock it to a specific Root Directory which will prevent untrusted users being able to access all server files (Untrusted users being non-administrators, administrators can install plugins/edit plugins/etc and as such are trusted users that can access things like that).
This plugin should really not be used today, there’s almost zero reason to use it, use the browser upload tools or contact your webhost to fix it so that the uploader works for you. 13 years ago when this plugin was written there was a real need, today not so much.
tl;dr: There’s no security issue here, it’s working exactly how it’s intended to, but you probably shouldn’t be using it.
If this is enough to make you finally stop using the plugin, so be it, but many of you use it for the exact reason that the “researcher” claims is a vulnerability.. you can’t have it both ways.
I didn’t see the other thread when I posted this. My apologies. Unfortunately, I cannot modify or delete it. @sterndata was able to approve it, should also remove it.
It’s good to know, there is no security issue for “admin” Administrator as I’m the only one that deals with my website 🙂
This plugin should really not be used today, there’s almost zero reason
The reason I use it is I have downloaded zips in other custom folders in wp-content/uploads that I upload by cPanel File Manager. I do this because I don’t want these downloads mixed in the year folders as it makes it easy for me to swap and so on. The problem is, WordPress Media Library won’t show those download zips by default.
So this is where your plugin comes in. It will show them in the media library with the URL to the folder for WooCommerce. Sure, I could just copy the URL path manually from cPanel and add that in the digital products page, but your plugin makes it much easier.
If you say I shouldn’t use it anymore, please point me to something that does the same but still is updated.
So yeah, I have 1 use for it! It’s wonderful and lightweight.
As it’s not a vulnerability — or more accurately, a deliberate thing — the entire topic is now publicly visible.
