WordPress wp-staging 2.4.8 Plugin - Local File Inclusion Vulnerability

2019-01-12T00:00:00
ID 1337DAY-ID-31933
Type zdt
Reporter 41!kh4224rDz
Modified 2019-01-12T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Exploit Title:  WordPress Plugin wp-staging 2.4.8 - Local File Inclusion
# Date: 12/01/2019
# Exploit Author:41!kh4224rDz
# Vendor Homepage: https://wp-staging.com/
# Software Link: https://wordpress.org/plugins/wp-staging/
# Category: webapps
# Version:2.4.8
# Tested on: WiN7_x64/

#Local File Inclusion
# File: /index.php
# Vulnerable code: $activeTab = $_GET['tab'] : "import_export";
30:require_once $this->path . "views/tools/tabs/" . $activeTab . ".php"; 
5: $activeTab = $_GET['tab'] : "import_export"; 

# Example payload:
tab=[LFI]

#  0day.today [2019-02-07]  #