Ajax Load More WordPress Plugin Missing Authorization Vulnerability Allowing File Upload and Deletion

A vulnerability exists in the Ajax Load More WordPress plugin in versions prior to 2.8.1.2, where certain AJAX actions lack proper authorization. This flaw enables any authenticated user, including subscribers, to upload and delete arbitrary files. The issue arises in the 'ajax-load-more/admin/admin.php' file, specifically within the 'alm_save_repeater()' and 'alm_delete_cache()' functions. Exploitation of this vulnerability could lead to unauthorized file manipulation on the server.

Impact

Exploitation of this vulnerability allows for authenticated users to upload malicious PHP files that can be executed, as well as delete files on the server.

Reproduction

To exploit the file upload vulnerability, send a POST request to 'wp-admin/admin-ajax.php' with the action 'alm_save_repeater', including a nonce for verification, and the value set to the PHP code payload. The uploaded code will be saved in 'wp-content/plugins/ajax-load-more/core/repeater/default.php', where it can be executed by accessing the file with a command parameter. For the file deletion vulnerability, the 'alm_delete_cache()' function can be exploited by sending a POST request with the 'cache' parameter set to the name of the cache directory. This will trigger the deletion of files within that directory.

Remediation

Users are advised to update the Ajax Load More WordPress plugin to version 2.8.1.2 or later.