Breaking News WP Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the Breaking News WP plugin for WordPress, affecting all versions through 1.3. The issue arises from the brnwp_ajax_form AJAX endpoint, which lacks proper authorization checks and CSRF protection. Additionally, the plugin fails to adequately validate file paths when the brnwp_theme option is passed to an include() statement within the brnwp_show_breaking_news_wp() shortcode handler. Although user input is sanitized, the sanitation does not remove directory traversal sequences, allowing authenticated attackers with Subscriber-level access or higher to exploit the vulnerability. By overwriting the brnwp_theme option with a crafted payload that includes directory traversal sequences, these attackers can include arbitrary files from the server when the shortcode is used.

Impact

Exploitation of this vulnerability allows for local file inclusion, where an attacker can include and read files from the server. This could potentially lead to further exploitation, such as executing included files if they contain executable code.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to the admin-ajax.php file. The request must include the action 'brnwp_ajax_form' and the brnwp_theme parameter set to a value that includes directory traversal sequences, such as '../../../../etc/passwd'. Once the request is processed, the specified file will be included and its contents can be accessed.