ChurcHope Theme <= 2.1 - Local File Inclusion (LFI)



Description
The vulnerability is caused by improper filtration of user-supplied input passed via the 'file' HTTP GET parameter to the '/lib/downloadlink.php' script, which is publicly accessible.
Proof of Concept The PoC will be displayed on October 28, 2019, to give users the time to update.

Affects Theme

fixed in version 2.2

References

URL https://themeforest.net/item/churchope-responsive-wordpress-theme/2708562?s_rank=1
URL https://themeforest.net/item/churchope-responsive-wordpress-theme/2708562/comments?page=97

Classification

Type LFI
OWASP Top 10 A1: Injection
CWE CWE-22

Miscellaneous

Submitter Justin Smith
Views 5865
Verified No
WPVDB ID 7710

Timeline

Publicly Published 2014-12-07 (almost 5 years ago)
Added 2014-12-07 (almost 5 years ago)
Last Updated 2019-10-14 (3 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin