CVE-2022-3762 - Critical File Download Vulnerability in Booster for WooCommerce Plugins - Exploit, Analysis, and Mitigation

If you run a WooCommerce store, you might be familiar with the Booster for WooCommerce plugin family — popular tools that extend and enhance e-commerce sites on WordPress. However, earlier versions of these plugins carried a serious security risk: CVE-2022-3762. This vulnerability allows Shop Managers and Administrators to download _any_ file from the server — even if they shouldn't have that power.

Booster Elite for WooCommerce (before version 1.1.7)

In this exclusive report, we break down how this vulnerability works, how it can be abused, and what you can do about it.

Understanding the Vulnerability

Many “booster” modules include features for exporting customer lists, order reports, or product data. To do this, they offer file download links in the WordPress admin area. Proper security practice means plugins should _strictly check and sanitize_ what files can be downloaded.

Unfortunately, early versions of these plugins didn’t do enough checks. A user with Shop Manager or Admin access could manipulate download links to fetch _any file_ that the web server can access.

This is extremely dangerous in a WordPress multisite or hosted environment, where sensitive configuration files or user data could be exposed, even to users who shouldn’t normally have access outside of their own site.

Typical (Vulnerable) Download Handler

// Example based on common plugin download logic (simplified)
if(isset($_GET['booster_download']) && !empty($_GET['file'])) {
    $file = $_GET['file'];
    // No sanitization, validation, or path restrictions here!
    $filepath = ABSPATH . $file; // Directly append user input to server path

    if(file_exists($filepath)) {
        header('Content-Type: application/octet-stream');
        header('Content-Disposition: attachment; filename="' . basename($filepath) . '"');
        readfile($filepath);
        exit;
    }
}

No check that the file is within allowed plugin folders (e.g. only exports or logs).

- No sanitization: a Shop Manager can request ../../wp-config.php or any other file the PHP process can access.

Example Exploit Request

https://example.com/wp-admin/admin.php?page=booster_tools&booster_download=1&file=../../wp-config.php

- In a multisite, a Shop Manager on _Site B_ could potentially pull files belonging to _Site A_ (or even the main site’s configs).

Any authenticated user with Shop Manager or Administrator role.

- In a multisite network, this means a Shop Manager on _one_ child site can endanger every other site on the network.

Navigate to a Booster “Reports” page (which presents a download feature).

3. Intercept or craft a download request, substituting the file parameter with a sensitive path:
/../../wp-config.php or /../../.env

Real-World Impact

- Privilege Escalation: A Shop Manager with one user account could seize server-wide control by downloading and reading credentials from the main site’s wp-config.php.

Data Leakage: Backups or logs intended for server admins could be dumped by regular users.

- Chain Attacks: An attacker could use the leaked database credentials to compromise other applications or sites.

Proof-of-Concept Screenshot

*(not shown for security reasons, but a similar scenario is easy to reproduce with cURL or Burp Suite)*

Review Multi-site Permissions:

If using WordPress multisite, review Shop Manager/Administrator roles. Consider limiting their access where possible.

3. Check for Unusual Logs/Access:
Look for any strange downloads or admin activity before you updated. Investigate further if you find signs of abuse.

Security Plugin Scans:

Run a scan with security plugins like Wordfence or Sucuri, as they often pick up common exploit signatures.

References

- wpvulndb.com - CVE-2022-3762
- NIST NVD - CVE-2022-3762
- Official Patch Notes / Booster Changelog
- Wordfence Blog: Arbitrary File Download in Booster for WooCommerce

Summary

CVE-2022-3762 isn’t just another bug — it’s a wake-up call for every shop owner and WordPress admin. Arbitrary file download vulnerabilities are some of the most dangerous and easy to exploit. If you’re using Booster for WooCommerce in any form, be sure you’re upgraded, watch access logs, and always keep plugins patched.

Timeline

Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:18:00 UTC