CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin Local File Inclusion vulnerability affecting version 1.0.
Reporter | Title | Published | Views | Family All 14 |
---|---|---|---|---|
Patchstack | WordPress ZM Ajax Login & Register Plugin 1.0.9 - Local File Inclusion | 4 Jun 201500:00 | – | patchstack |
0day.today | WordPress zM Ajax Login & Register Plugin 1.0.9 Local File Inclusion Vulnerability | 4 Jun 201500:00 | – | zdt |
NVD | CVE-2015-4153 | 10 Jun 201518:59 | – | nvd |
exploitpack | WordPress Plugin zM Ajax Login Register 1.0.9 - Local File Inclusion | 4 Jun 201500:00 | – | exploitpack |
Prion | Directory traversal | 10 Jun 201518:59 | – | prion |
CVE | CVE-2015-4153 | 10 Jun 201518:59 | – | cve |
securityvulns | CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin [Local File Inclusion] | 8 Jun 201500:00 | – | securityvulns |
securityvulns | Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | 8 Jun 201500:00 | – | securityvulns |
Cvelist | CVE-2015-4153 | 10 Jun 201518:00 | – | cvelist |
Exploit DB | WordPress Plugin zM Ajax Login & Register 1.0.9 - Local File Inclusion | 4 Jun 201500:00 | – | exploitdb |
`# Exploit Title: CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin [Local File Inclusion]
# Date: 2015/06/01
# Exploit Author: Panagiotis Vagenas
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://zanematthew.com/
# Software Link: https://downloads.wordpress.org/plugin/zm-ajax-login-register.1.0.9.zip
# Version: 1.0.9
# Tested on: WordPress 4.2.2
# Category: webapps
# CVE: CVE-2015-4153
* Description
Any authenticated or non-authenticated user can perform a local file inclusion attack by exploiting the wp_ajax_nopriv_load_template action. Plugin simply includes the file specified in 'template' POST parameter without any further validation.
* Proof of Concept
Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: `action=load_template&template=[relative path to local file]&security=[wp nonce]&referer=[action from which the nonce came from]`
* Timeline
2015/06/01 Discovered
2015/06/01 Vendor alerted via contact form at his website
2015/06/03 Vendor responded
2015/06/03 Fixed in version 1.1.0
* Solution
Update to version 1.1.0
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo