22 Nov

Authenticated Local File Inclusion (LFI) Vulnerability in Vmax Project Manager

We recently noticed an authenticated arbitrary file upload vulnerability in the plugin Vmax Project Manager. While writing up the details of that we were tracing back the code that would be involved in that and at first we couldn’t figure out how part of it would work. Then we figured that out and noticed that there is also an authenticated local file inclusion (LFI) vulnerability in the plugin.

The plugin makes its main admin page available to anyone with the “read” capability, which is a capability that provides access to Admin dashboard and is a capability provided to Subscriber-level users and above (in the file /vpm.php):

$menu = add_menu_page('Vpm Project Manager', 'Project Manager', 'read', 'vpm-project', 'vpm_project' );

The function called includes the file /view/index.php:

function vpm_project() {
	$body	=	'project';
	include( VPMDIR . '/view/index.php');

In that file, if the GET input “module” exists, its value is used in an include statement:

if(isset($_GET['module'])) {
	$body = sanitize_text_field($_GET['module']);
// Loads the body page for each specific menu/tasks inside the plugin.
include $body.".php";

There is no restriction on directory traversal being used there, so files outside of the directory that files are intended to be included from can be accessed.

We used this vulnerability to as the basis for adding checking for some local file inclusion (LFI) vulnerabilities to our security checker for WordPress plugins.

We notified the developer of the issue on October 23. They responded the same day that it would be fixed within two weeks, but so far no new version of the plugin has been released. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

The following proof of concept will cause a file named test.php in the root directory of the WordPress installation to be included, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress



  • October 23, 2017 – Developer notified.
  • October 23, 2017 – Developer responds.

Concerned About The Security of the Plugins You Use?

To make sure a plugin you are using or considering using has been properly secured you get a complete security review of it from us.

Leave a Reply

Your email address will not be published. Required fields are marked *