CVE-2023-2180: 
WordPress vulnerability analysis and mitigation

The KIWIZ Invoices Certification & PDF System WordPress plugin through version 2.1.3 contains a vulnerability where it does not validate the path of files to be downloaded. This security issue was discovered and publicly disclosed on April 19, 2023, affecting the WordPress plugin 'woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz'. The vulnerability has been assigned CVE-2023-2180 and received a CVSS score of 7.5 (High) (WPScan).

The vulnerability stems from improper validation of file paths in the download functionality. An unauthenticated attacker can exploit this by manipulating the file_name parameter in the concat-pdf.php endpoint. The exploit involves using base64 encoded path traversal sequences to access files outside the intended directory. For example, accessing wp-config.php can be achieved by sending a request to concat-pdf.php with a base64 encoded path traversal sequence. The downloaded file will have a PDF extension, which needs to be changed to the appropriate extension after download (WPScan).

The vulnerability allows unauthenticated attackers to read and download arbitrary files from the server. Additionally, if an attacker can upload files to the server, they can potentially perform PHAR unserialization attacks. This could lead to unauthorized access to sensitive files such as wp-config.php, which contains database credentials and other critical configuration information (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Website administrators using the KIWIZ Invoices Certification & PDF System plugin should consider either removing the plugin or implementing additional security controls at the web server level to prevent unauthorized file access (WPScan).