Login

Tag Archives: Authenticated Local File Inclusion (LFI)

31 Oct 2023

Authenticated Local File Inclusion (LFI) Vulnerability in NextGEN Gallery

WPScan recently claimed there had been an admin+ local file inclusion vulnerability in the WordPress plugin NextGEN Gallery. That wouldn’t be a vulnerability, as Administrators can already do the equivalent of that. The proof of concept suggested that if there really was vulnerability, it wasn’t only accessible to Administrators. One of the steps suggests that anyone with the ability to create posts or pages could exploit this:

[Read more]

9 Nov 2022

Authenticated Local File Inclusion (LFI) Vulnerability in WordPress Plugin Ultimate Member

The latest version of the WordPress plugin Ultimate Member had a changelog entry “Fixed: Directory traversal vulnerabilities”. In looking into that at the time, we found that part of that wasn’t a vulnerability, but there was a security issue, which we contacted the developer about. It turns out there was a second instance where there really was a vulnerability.

[Read more]

4 Feb 2022

Authenticated Local File Inclusion (LFI) Vulnerability in Transposh Translation Filter

While we were attempting to test to see if the WordPress plugin Transposh Translation Filter was susceptible to another vulnerability, we stumbled across an authenticated local file inclusion vulnerability in the plugin, which can also be exploited through cross-site request forgery (CSRF).

What led to that, was this comment on support forum topic for the plugin: [Read more]

14 May 2019

Authenticated Local File Inclusion (LFI) Vulnerability in Photo Gallery by 10Web

Earlier today we detailed a vulnerability for our customers in a plugin by 10Web/TenWeb/Web-Dorado, where, while the vulnerability was fixed, the code still wasn’t properly secured. So that made what we then found while looking into the possibility that a vulnerability had also been fixed in their Photo Gallery (Photo Gallery by 10Web) plugin not all that surprising. While trying to confirm that there had been authenticated persistent cross-site scripting (XSS) vulnerability that had been fixed in the plugin we got an error message that indicated there was and we then confirmed still is an authenticated local file inclusion (LFI) vulnerability in the plugin. It really isn’t a great sign as the security of WordPress plugins that you can accidentally run into a vulnerability in a plugin with 300,000+ installs (according to wordpress.org).

The error message indicated that user input from a shortcode generated through the plugin was being passed in to the following line of code in the file /frontend/controllers/controller.php through the variable $view: [Read more]

14 Jan 2019

Our Proactive Monitoring Caught an Authenticated Local File Inclusion (LFI) Vulnerability in Shortcode Factory

Recently we added checks for possible local file inclusion (LFI) vulnerabilities to our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins and considering the state of security of WordPress plugins in probably isn’t surprising we already caught another vulnerability of that type. Specifically we caught an authenticated local file inclusion (LFI) vulnerability in Shortcode Factory, which could also be exploited through cross-site request forgery (CSRF). The vulnerability had been in the plugin for nearly four years without getting noticed before.

Our Plugin Security Checker will alert you if plugins you use possibly contain the same type vulnerable code (and possibly contain more serious vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]

19 Jun 2018

Authenticated Local File Inclusion (LFI) Vulnerability in ChimpMate

In seeking to continue to improve our Plugin Security Checker, which does automated checks to try spot potential security issues in WordPress plugins, we log the results of checks of plugins in the Plugin Directory. The plugin ChimpMate was recently run through that and one of the issues identified in that was a possible local file inclusion vulnerability:

[Read more]

22 Nov 2017

Authenticated Local File Inclusion (LFI) Vulnerability in Vmax Project Manager

We recently noticed an authenticated arbitrary file upload vulnerability in the plugin Vmax Project Manager. While writing up the details of that we were tracing back the code that would be involved in that and at first we couldn’t figure out how part of it would work. Then we figured that out and noticed that there is also an authenticated local file inclusion (LFI) vulnerability in the plugin.

The plugin makes its main admin page available to anyone with the “read” capability, which is a capability that provides access to Admin dashboard and is a capability provided to Subscriber-level users and above (in the file /vpm.php): [Read more]

30 Oct 2017

Authenticated Local File Inclusion (LFI) Vulnerability in PluginOps Page Builder

As we discussed in a previous post, while reviewing the changes in a recent version of the plugin PluginOps Page Builder we found that a local file inclusion version vulnerability had recently been fixed in the plugin. In looking over the changes that fixed that, we found that there was still a limited authenticated local file inclusion (LFI) vulnerability in the plugin.

In the file /admin/admin.php the plugin registered a shortcode: [Read more]

9 Oct 2017

Vulnerability Details: Authenticated Local File Inclusion (LFI) Vulnerability in Insert Pages

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]