Ajax Load More < 2.8.1.2 - Subscriber+ File Upload & Deletion

Description

Authenticated file upload in file ajax-load-more/admin/admin.php file, in the function alm_save_repeater().

The variable $f is set to a predictable PHP file path, and then the content of the variable $c is written into that file.

The following code proves that this second variable is also set from untrusted input :
$c = Trim(stripslashes($_POST["value"])); // Repeater Value

Therefore, an evil person can write arbitrary PHP code to the website by doing a POST query to http://<WP-path>/wp-admin/admin-ajax.php

He can then execute the evil PHP code for example by sending a simple request to http://<WP-path>/wp-content/plugins/ajax-load-more/core/repeater/default.php

Authenticated file deletion in file ajax-load-more/admin/admin.php file, in the function alm_delete_cache().

$cache = $_POST["cache"];
[...]
$dir = ALM_CACHE_PATH .'_cache/'.$cache;
[...]
foreach (glob($dir."/*.*") as $filename) {
[...]
unlink($filename);
[...]
rmdir($dir);