Google Drive for WordPress Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in the Google Drive plugin for WordPress, specifically in version 2.2. This vulnerability allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences into the file_name parameter. Exploitation involves sending POST requests to gdrive-ajaxs.php with the ajaxstype parameter set to del_fl_bkp and the file_name parameter containing traversal sequences, such as ../../wp-config.php, to access sensitive configuration files.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, such as the WordPress configuration file, wp-config.php, which contains database credentials and other critical information.

Reproduction

To reproduce this vulnerability, send a POST request to 'wp-content/plugins/wp-google-drive/gdrive-ajaxs.php' with the ajaxstype parameter set to 'del_fl_bkp'. Include a file_name parameter that contains directory traversal sequences, such as '../../wp-config.php', to access sensitive files on the server.