IP Blacklist Cloud < 3.43 - Admin+ Arbitrary File Disclosure

Description

The IP Blacklist Cloud plugin exposes several AJAX functions to users. One of these is the ‘importCSVIPCloud’ action, which looks to be used to import CSV files into the systems blacklist. This action is susceptible to Directory Traversal, and does not check file extensions, as such it is possible to retrieve the contents of any file on the server to which the web server has access to.

This action required that the user has the ‘manage_options’ permission. The reason I’ve raised this as an issue is because while it’s true if someone has compromised a user with this privilege then this attack is the least of your concerns, however if a site administrator has set Read Only on files that are editable via the WordPress administrative interface, then the scope of what the compromised user can perform on the file system is limited. This vulnerability allows a user with adequate access to the WordPress instance to read files on the system, potentially compromising further credentials such as FTP, MySQL, amongst other sensitive information.