Post Grid Master WordPress Plugin Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the Post Grid Master WordPress plugin, specifically in versions through 3.4.12. The issue arises in the 'locate_template' function, where unauthenticated attackers can include and execute arbitrary PHP files on the server. This vulnerability could be exploited to bypass access controls, access sensitive information, or execute code, particularly if the server allows the upload and inclusion of files with certain extensions, such as images.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of PHP code on the server, potentially allowing attackers to bypass access controls, access sensitive data, or execute malicious actions, especially in scenarios where file uploads are permitted.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the Post Grid Master plugin active, targeting the 'wp_ajax_asr_filter_posts' action. Include a payload that specifies a PHP file to be included via the 'locate_template' function. The server must be configured to allow the execution of PHP files in the specified location.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and consider a replacement.