End-user exploitable local file inclusion vulnerability in Ajax Pagination (twitter Style) 1.1


Last revised:

This plugin contains a file inclusion vulnerability that is exploitable by an unauthenticated user. The user can include any local file ending in “.php” which is accessible to the web user.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 9.3 High
Vector Network
Complexity Medium
Authentication None
Confidentiality Complete
Integrity Complete
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

A non-logged in user can call the ajax function wp_ajax_nopriv_ajax_navigation that calls ajax_navigation_callback in ajax-pagination-front.php at line 75.

By setting the value of “loop” in the POST data, they can include the contents of that path on the returned page.

For example, to include the contents of wp-login.php in the returned page, send the following:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Content-Length: 53
Content-Type: application/x-www-form-urlencoded; charset=UTF-8



Advisory timeline

  • 2014-02-18: Reported to and
  • 2014-03-28: No response received to reports. Vulnerability published.

Mitigation/further actions

Disable the plugin until a fix is available.