Extensive VC Addons for WPBakery Page Builder Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the Extensive VC Addons for WPBakery Page Builder plugin for WordPress, affecting all versions through 1.9.1. The vulnerability arises in the 'extensive_vc_get_module_template_part' function, where inadequate path normalization and validation of the user-supplied 'shortcode_name' parameter in the 'extensive_vc_init_shortcode_pagination' AJAX action allow unauthenticated attackers to include and execute arbitrary PHP files on the server. This exploitation enables the execution of any PHP code contained in the included files via the 'shortcode_name' parameter.

Impact

Exploitation of this vulnerability could lead to unauthorized access and execution of PHP code on the server, potentially allowing for further attacks or compromise of the website.

Reproduction

To reproduce this vulnerability, send a request to the 'extensive_vc_init_shortcode_pagination' AJAX action with a crafted 'shortcode_name' parameter that includes a path to a PHP file on the server. The lack of proper validation will allow the inclusion and execution of the specified PHP file.