Security Ninja WordPress Plugin Arbitrary File Read Vulnerability

A vulnerability allowing arbitrary file read has been identified in the Security Ninja WordPress Security Plugin & Firewall, affecting all versions prior to 5.243. The issue arises in the 'get_file_source' function, where authenticated attackers with Administrator-level access can exploit this vulnerability to access and extract sensitive data from any file on the server.

Impact

Exploitation of this vulnerability allows authenticated users with Administrator privileges to read arbitrary files on the server, potentially leading to the disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can send a request to the 'wp_ajax_sn_core_get_file_source' endpoint. The request must include the 'filename' parameter specifying the path of the file to be read, along with a valid nonce and hash to bypass the plugin's security checks. The 'get_file_source' function will then be executed, and if the requested file is within the WordPress core directories, its contents will be returned.

Remediation

Users are advised to update the Security Ninja WordPress Plugin to version 5.243 or later.