zM Ajax Login & Register [Local File Inclusion]
WordPress plugin zM Ajax Login & Register suffers for an Local File Inclusion vulnerability.
Any authenticated or non-authenticated user can perform a local file inclusion attack by exploiting the
wp_ajax_nopriv_load_template action. Plugin simply includes the file specified in ‘template’ POST parameter without any further validation.
Proof of Concept
Send a post request to
action=load_template&template=[relative path to local file]&security=[wp nonce]&referer=[action from which the nonce came from]
Vendor alerted via contact form at his website
Released version 1.1.0 that resolves the issue