Plugin Slug: searchwp-live-ajax-search
Vulnerability: Unauthenticated path traversal for PHP files.
Vulnerable File: includes/class-client.php
Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)
Parameter swpengine
in includes/class-client.php
is not sanitized properly, leading to unauthenticated path traversal. Exploiting path traversal, it is possible to inlcude and execute PHP files from arbitrary paths. File will execute even if PHP file is not allowed to be accessed directly.
Following will include file named phpinfo.php
which is present in arbitrary path.
https://example.com/wp-admin/admin-ajax.php?action=searchwp_live_search&swpquery=a&post_status=&swpengine=aaaaaaa/../../asd/phpinfo
Update plugin to version 1.6.3, or newer.