IP Blacklist Cloud <= 3.42 - Arbitrary File Disclosure

The IP Blacklist Cloud plugin exposes several AJAX functions to users. One of these is the ‘importCSVIPCloud’ action, which looks to be used to import CSV files into the systems blacklist. This action is susceptible to Directory Traversal, and does not check file extensions, as such it is possible to retrieve the contents of any file on the server to which the web server has access to.

This action required that the user has the ‘manage_options’ permission. The reason I’ve raised this as an issue is because while it’s true if someone has compromised a user with this privilege then this attack is the least of your concerns, however if a site administrator has set Read Only on files that are editable via the WordPress administrative interface, then the scope of what the compromised user can perform on the file system is limited. This vulnerability allows a user with adequate access to the WordPress instance to read files on the system, potentially compromising further credentials such as FTP, MySQL, amongst other sensitive information.

Affects Plugin

fixed in version 3.43


URL https://research.g0blin.co.uk/g0blin-00037/


Type LFI
OWASP Top 10 A1: Injection


Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 6372
Verified No


Publicly Published 2015-03-13 (over 5 years ago)
Added 2015-03-13 (over 5 years ago)
Last Updated 2019-10-21 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin