CVSS Summary
| Score | 9.3 High |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Complete |
| Integrity | Complete |
| Availability | Complete |
Advisory:
End-user exploitable local file inclusion vulnerability in Ajax Pagination (twitter Style) 1.1
Vulnerability
Last revised:
This plugin contains a file inclusion vulnerability that is exploitable by an unauthenticated user. The user can include any local file ending in “.php” which is accessible to the web user.
Current state: Reported
Proof of concept
A non-logged in user can call the ajax function wp_ajax_nopriv_ajax_navigation that calls ajax_navigation_callback in ajax-pagination-front.php at line 75.
By setting the value of “loop” in the POST data, they can include the contents of that path on the returned page.
For example, to include the contents of wp-login.php in the returned page, send the following:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 53 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 paged=2&action=ajax_navigation&loop=../../../wp-login
Advisory timeline
- 2014-02-18: Reported to nuwan28@gmail.com and plugins@wordpress.org
- 2014-03-28: No response received to reports. Vulnerability published.
Mitigation/further actions
Disable the plugin until a fix is available.