05 Oct

Arbitrary File Viewing Vulnerability in WP Post Popup

Back in August through our proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins we found that the plugin WP Post Popup contained an arbitrary file viewing vulnerability. That was subsequently fixed. Through that same monitoring we found that the vulnerability had returned to the plugin.

The only difference from last time is that file the vulnerability was now in is named /public/partials/wp-post-modal-public-proxy.php.

In that file the first code was:

if ( isset( $_GET['url'] ) ) {
	echo file_get_contents( $_GET['url'] );
That code takes the value of the GET input “url”, passes it to the function file_get_contents(), and echo’s the result. So with that you can view the contents of any file on the website. Hackers would normally exploit that to the view the contents of the WordPress configuration file, wp-config.php file.

In addition to being able to be used for arbitrary file viewing, the vulnerability could be used for cross-site scripting (XSS) since file_get_contents() can also get the contents of URLs “if the fopen wrappers have been enabled”.

After we notified the developer they removed that file. It was removed 13 minutes after version 2.1.2 was released. So there was a small window for those installing or updating the plugin to version 2.1.2 to have gotten it with that version.  If you are using that version to be safe, check if it contains that file and if it does then remove it.

Proof of Concept

The following proof of concept will display the contents of the WordPress configuration file, wp-config.php.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-content/plugins/wp-post-modal/public/partials/wp-post-modal-public-proxy.php?url=../../../../../wp-config.php


  • October 5, 2017 – Developer notified.
  • October 5, 2017 – Vulnerability resolved.
  • October 5, 2017 – Developer responds.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.

Leave a Reply

Your email address will not be published. Required fields are marked *