Authenticated Local File Inclusion (LFI)

Authenticated Local File Inclusion (LFI) Vulnerability in Posts in Page

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor hacking attempts on our websites. Through that we recently came across a request for a file, /wp-content/plugins/posts-in-page/assets/posts_in_page_help_view.php, from the plugin Posts in Page.

Nothing in that file looks like it could be exploited, so it looks like that request was instead probing for usage of the plugin. In looking over the rest of the code of the plugin we did find one vulnerability, that might be of more interest to hackers with the recent exploitation of a vulnerability in WordPress 4.7.0 and 4.7.1 that allowed an attacker to modify posts. [Read more]

Protecting You Against Wordfence’s Bad Practices: Local File Inclusion Vulnerability in WP Fastest Cache

_{Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.}

Wordfence describes the vulnerability in WP Fastest Cache version 0.8.5.7 as “The Local File Inclusion vulnerability allows an attacker to execute code on the target web server or on a site visitor’s browser. This enables the attacker to steal or manipulate data, perform a denial of service attack or enable additional attack types such as Cross Site Scripting.” [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Authenticated Local File Inclusion (LFI)

Authenticated Local File Inclusion (LFI) Vulnerability in Posts in Page

Protecting You Against Wordfence’s Bad Practices: Local File Inclusion Vulnerability in WP Fastest Cache