14 Jan 2019

Our Proactive Monitoring Caught an Authenticated Local File Inclusion (LFI) Vulnerability in Shortcode Factory

Recently we added checks for possible local file inclusion (LFI) vulnerabilities to our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins and considering the state of security of WordPress plugins in probably isn’t surprising we already caught another vulnerability of that type. Specifically we caught an authenticated local file inclusion (LFI) vulnerability in Shortcode Factory, which could also be exploited through cross-site request forgery (CSRF). The vulnerability had been in the plugin for nearly four years without getting noticed before.

Our Plugin Security Checker will alert you if plugins you use possibly contain the same type vulnerable code (and possibly contain more serious vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Technical Details

In the file /core/functions.php the function scf_load_shortcode_ui() registered to be accessible to anyone logged in to WordPress:

117
add_action( 'wp_ajax_scf_load_shortcode_ui', 'scf_load_shortcode_ui');

In that function the value of the GET or POST input “ui” will be used in an include statement:

105
106
107
108
109
function scf_load_shortcode_ui() {
	include(SCF_UI."/header.php");
 
	if(isset($_REQUEST["ui"]) && !empty($_REQUEST["ui"])) {
		include(SCF_UI."/".$_REQUEST["ui"].".php");

Through the user of directory traversal any .php file on the website can be included and there the code in it to run.

Proof of Concept

The following proof of concept will cause a file named test.php in the root directory of the WordPress installation to be included, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=scf_load_shortcode_ui&ui=../../../../test

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.