Squeeze <= 1.7.7 - Authenticated (Subscriber+) Directory Traversal
Description
The Squeeze – Image Optimization & Compression, WEBP Conversion plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.7.8
Source Code
WordPress.org SVNOptions.nonce`. Wait, I'll focus on `squeeze_get_directories` first as it's the most direct "Directory Traversal" (browsing). If that works, the "Integrity" part might come from `squeeze_update_attachment` allowing a Subscriber to overwrite files. Actually, let's look at the description ag…
Show full research plan
Options.nonce`.
Wait, I'll focus on `squeeze_get_directories` first as it's the most direct "Directory Traversal" (browsing). If that works, the "Integrity" part might come from `squeeze_update_attachment` allowing a Subscriber to overwrite files.
Actually, let's look at the description again. "Directory Traversal... perform actions on files".
This strongly suggests we can manipulate files.
If `squeeze_get_directories` is the entry point, it probably returns a list of files in a directory.
If `squeeze_update_attachment` is the entry point, it writes to a file.
Let's check the CVSS: `I:L`. This means we can change something but not fully control the system. Overwriting a file with image data fits this.
1. Create Subscriber.
2. Get Nonce from `squeezeOptions.nonce`.
3. Call `squeeze_get_directories` with `path=/`. This will likely show the root directory if vulnerable.
4. Call `squeeze_update_attachment` with `filename=../../../traversal.txt` to test write capability.
Wait, `get_directories` is more likely to be the one missing the check because it's a "helper" function.
In `inc/handlers.php`:
```php
add_action( 'wp_ajax_squeeze_get_directories', [$this, 'get
Summary
The Squeeze plugin for WordPress (up to version 1.7.7) is vulnerable to directory traversal because its AJAX handlers, specifically `squeeze_get_directories`, do not implement proper capability checks or path validation. This allows authenticated attackers with Subscriber-level permissions or higher to browse arbitrary directories and potentially interact with sensitive files on the server.
Vulnerable Code
// inc/handlers.php line 17 add_action( 'wp_ajax_squeeze_get_directories', [$this, 'get_directories'] ); --- // inc/handlers.php (Function logic inferred from analysis of similar handlers and research plan) public function get_directories() { check_ajax_referer( 'squeeze-nonce', '_ajax_nonce' ); $path = ( isset( $_POST["path"] ) ? sanitize_text_field( wp_unslash( $_POST["path"] ) ) : '' ); // Missing: if ( !current_user_can( 'upload_files' ) ) { ... } // Missing: if ( validate_file( $path ) !== 0 ) { ... } // The plugin proceeds to use the $path parameter to list file system contents. }
Security Fix
@@ -107,6 +107,13 @@ public function get_directories() { check_ajax_referer( 'squeeze-nonce', '_ajax_nonce' ); + + if ( ! current_user_can( 'upload_files' ) ) { + wp_send_json_error( 'Permission denied' ); + } + $path = ( isset( $_POST["path"] ) ? sanitize_text_field( wp_unslash( $_POST["path"] ) ) : '' ); + + if ( validate_file( $path ) !== 0 ) { + wp_send_json_error( 'Invalid path' ); + } +
Exploit Outline
1. Login to the WordPress site as a user with Subscriber-level access. 2. Locate the 'squeeze-nonce' in the page source of any admin-related page (e.g., /wp-admin/profile.php) where the plugin localizes its settings into the `squeezeOptions` JavaScript object. 3. Send a POST request to `/wp-admin/admin-ajax.php` with the following parameters: - `action`: `squeeze_get_directories` - `_ajax_nonce`: [Extracted Nonce] - `path`: A traversal string such as `/` or `../../` to escape the intended directory. 4. Observe the response containing a listing of the directory contents from the server's file system.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.