[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin [Local File Inclusion]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin [Local File Inclusion]
From: pan.vagenas@xxxxxxxxx
Date: Thu, 4 Jun 2015 08:56:37 GMT

# Exploit Title: CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin 
[Local File Inclusion]
# Date: 2015/06/01
# Exploit Author: Panagiotis Vagenas
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://zanematthew.com/
# Software Link: 
https://downloads.wordpress.org/plugin/zm-ajax-login-register.1.0.9.zip
# Version: 1.0.9
# Tested on: WordPress 4.2.2
# Category: webapps
# CVE: CVE-2015-4153

* Description

Any authenticated or non-authenticated user can perform a local file inclusion 
attack by exploiting the wp_ajax_nopriv_load_template action. Plugin simply 
includes the file specified in 'template' POST parameter without any further 
validation.

* Proof of Concept

Send a post request to 
`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: 
`action=load_template&template=[relative path to local file]&security=[wp 
nonce]&referer=[action from which the nonce came from]`

* Timeline

2015/06/01 Discovered
2015/06/01 Vendor alerted via contact form at his website
2015/06/03 Vendor responded
2015/06/03 Fixed in version 1.1.0


* Solution 

Update to version 1.1.0

Prev by Date: IBM Watson (Cognea) - XSS and Redirect Vulnerabilities
Next by Date: [security bulletin] HPSBGN03343 rev.1 - HP WebInspect, Remote Unauthorized Access
Previous by thread: IBM Watson (Cognea) - XSS and Redirect Vulnerabilities
Next by thread: [security bulletin] HPSBGN03343 rev.1 - HP WebInspect, Remote Unauthorized Access
Index(es):
- Date
- Thread