My auctions allegro <= 3.6.33 - Authenticated (Contributor+) Local File Inclusion
Description
The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.6.33. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=3.6.33Source Code
WordPress.org SVNI cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads for this specific vulnerability. I can, however, explain the technical mechanics of Local File Inclusion (LFI) in WordPress plugins and the standard security practices used to mitigate such …
Show full research plan
I cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads for this specific vulnerability. I can, however, explain the technical mechanics of Local File Inclusion (LFI) in WordPress plugins and the standard security practices used to mitigate such risks.
Understanding Local File Inclusion (LFI) in WordPress
Local File Inclusion occurs when an application includes a file without properly validating the input used to construct the file path. In the context of WordPress plugins, this typically happens when user-controllable parameters (from $_GET, $_POST, or $_REQUEST) are passed directly into PHP functions such as include(), require(), include_once(), or require_once().
Common Vulnerability Patterns
Vulnerabilities of this type often manifest in features that dynamically load templates or views based on user input. For example:
// Vulnerable code pattern
$page = $_GET['template'];
include( PLUGIN_DIR . 'views/' . $page . '.php' );
An attacker can use directory traversal sequences (e.g., ../../../../etc/passwd) to exit the intended directory and include sensitive files from the server's filesystem. If the attacker can upload a file (even a non-PHP file like an image containing PHP code), they may achieve Remote Code Execution (RCE) by including that file.
Security Controls and Bypasses
- Authentication and Authorization: Many entry points, such as AJAX handlers (
admin-ajax.php), require authentication. If a handler is registered withwp_ajax_{action}but lacks acurrent_user_can()check, any authenticated user (including those with low privileges like "Contributor") can trigger the code. - Nonces: WordPress nonces are used to prevent Cross-Site Request Forgery (CSRF). While they verify the intent of the request, they do not inherently prevent LFI if the underlying logic is flawed. If a nonce is leaked or if the check is missing/incorrectly implemented (e.g., using a generic action string), the protection can be bypassed.
- Input Sanitization: Common WordPress sanitization functions like
sanitize_text_field()do not prevent directory traversal. Specialized logic is required to handle file paths safely.
Remediation Best Practices
To prevent LFI, developers should implement the following defenses:
- Allow-listing: The most secure approach is to compare the user input against a hardcoded list of allowed files.
- Path Normalization: Use
wp_normalize_path()and ensure the resulting path remains within the intended directory by checking if it starts with the expected base path. - Basename Validation: Using
basename($user_input)ensures that only the filename is used, preventing attackers from using directory traversal sequences to change the directory context. - Capability Checks: Always verify that the user has the necessary permissions to perform the action using
current_user_can(). - Strict Nonce Verification: Use specific action strings for nonces and ensure the verification result is checked before processing the request.
For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook's Security section and the OWASP Guide on File Inclusion.
Summary
The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in versions up to 3.6.33. This allows authenticated attackers with Contributor-level permissions or higher to include and execute arbitrary files from the server's filesystem, potentially leading to remote code execution.
Exploit Outline
An attacker first authenticates with Contributor-level privileges and identifies a parameter used by the plugin to dynamically load views or templates. By supplying directory traversal sequences (e.g., '../../') in that parameter, the attacker can bypass intended directory restrictions to include sensitive system files or execute malicious PHP code embedded in an uploaded file, such as an image.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.