Ajax Pagination (twitter Style) Plugin for WordPress Local File Inclusion

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a PHP script that is affected by a
local file inclusion vulnerability.

Description :

The Ajax Pagination (twitter Style) plugin for WordPress installed on
the remote host is affected by a local file inclusion vulnerability
because it fails to properly sanitize user-supplied input to the
'loop' parameter of the '/wp-admin/admin-ajax.php' script. A remote,
unauthenticated attacker can exploit this issue to execute arbitrary
PHP scripts on the remote host.

See also :

http://seclists.org/fulldisclosure/2014/Mar/398

Solution :

Unknown at this time.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 5.0
(CVSS2#E:ND/RL:U/RC:ND)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 73378 ()

Bugtraq ID: 66526

CVE ID: