Lucene search

K

WordPress zM Ajax Login Register 1.0.9 Local File Inclusion

🗓️ 05 Jun 2015 00:00:00Reported by panVagenasType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 32 Views

CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin Local File Inclusion vulnerability affecting version 1.0.

Show more
Related
Code
`# Exploit Title: CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin [Local File Inclusion]  
# Date: 2015/06/01  
# Exploit Author: Panagiotis Vagenas  
# Contact: https://twitter.com/panVagenas  
# Vendor Homepage: http://zanematthew.com/  
# Software Link: https://downloads.wordpress.org/plugin/zm-ajax-login-register.1.0.9.zip  
# Version: 1.0.9  
# Tested on: WordPress 4.2.2  
# Category: webapps  
# CVE: CVE-2015-4153  
  
* Description  
  
Any authenticated or non-authenticated user can perform a local file inclusion attack by exploiting the wp_ajax_nopriv_load_template action. Plugin simply includes the file specified in 'template' POST parameter without any further validation.  
  
* Proof of Concept  
  
Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: `action=load_template&template=[relative path to local file]&security=[wp nonce]&referer=[action from which the nonce came from]`  
  
* Timeline  
  
2015/06/01 Discovered  
2015/06/01 Vendor alerted via contact form at his website  
2015/06/03 Vendor responded  
2015/06/03 Fixed in version 1.1.0  
  
  
* Solution   
  
Update to version 1.1.0  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
05 Jun 2015 00:00Current
8.8High risk
Vulners AI Score8.8
EPSS0.061
32
.json
Report