Javo Themes Spot LFI/Directory Traversal Vulnerability

Whew, it’s been a while… I’ve had the misfortune to work with yet another theme from ThemeForest. A $60 premium theme and nothing less! Meet Javo Spot by Javo Themes…
Within half an hour of fiddling with it, trying to filter the output of their Listings Directory (which ended up being a 5-hour pain-in-the-butt task, which is a story for another day), I came across a glaring unauthenticated Local File Inclusion vulnerability (an LFI for short).
The available listings are cached in JSON format into a file in the uploads directory and then fetched via a GET on the listing archive page and rendered nicely. But there’s a cross-domain mode in the theme that uses JSONP, which allows the contents of the listing file to be output via an AJAX call to WordPress.
This is a responsibility borne upon a function called jvfrm_spot_get_json (javo-spot/library/functions/functions-box-map.php).
/**
* Cross Domain Ajax
*
* @type action
* @function jvfrm_spot_get_json
*/
if ( !function_exists( ‘jvfrm_spot_get_json’ ) ) :
add_action( ‘wp_ajax_jvfrm_spot_get_json’, ‘jvfrm_spot_get_json’ );
add_action( ‘wp_ajax_nopriv_jvfrm_spot_get_json’, ‘jvfrm_spot_get_json’
Source: https://managewp.org/articles/14375/javo-themes-spot-lfi-directory-traversal-vulnerability

source https://williechiu40.wordpress.com/2017/02/11/javo-themes-spot-lfidirectory-traversal-vulnerability/