Attack Chain

1. The attacker identifies a WordPress site using Google Drive for WordPress version 2.2.
2. The attacker crafts a POST request targeting the gdrive-ajaxs.php file.
3. The attacker sets the ajaxstype parameter to del_fl_bkp in the POST request.
4. The attacker injects directory traversal sequences (e.g., ../../) into the file_name parameter.
5. The attacker specifies the target file to read by appending it to the traversal sequence (e.g., ../../wp-config.php).
6. The server processes the request without proper sanitization of the file_name parameter.
7. The server reads the specified file (e.g., wp-config.php) and includes its content in the response.
8. The attacker receives the response containing the content of the targeted file, potentially revealing sensitive information.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to read arbitrary files on the affected server. This can lead to the disclosure of sensitive information, such as database credentials, API keys, and other configuration details stored in files like wp-config.php. The impact can range from data theft to complete compromise of the WordPress site.

Recommendation

• Apply available patches or upgrade to a secure version of the Google Drive for WordPress plugin to remediate CVE-2018-25326.
• Deploy the Sigma rule “Detect CVE-2018-25326 Path Traversal Attempt” to identify exploitation attempts in web server logs.
• Monitor POST requests to gdrive-ajaxs.php for suspicious file_name parameters containing directory traversal sequences using a WAF or similar security tool.