Menu

Improved exploit search engine. Try it out

"WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion"

Author

"Ali S. Ahmad"

Platform

php

Release date

2019-03-28

Release Date Title Type Platform Author
2019-04-22 "UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting" webapps php "Kağan EĞLENCE"
2019-04-22 "Msvod 10 - Cross-Site Request Forgery (Change User Information)" webapps php ax8
2019-04-22 "74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)" webapps php ax8
2019-04-22 "WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion" webapps php "Panagiotis Vagenas"
2019-04-16 "Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion" webapps php "Haboob Team"
2019-04-15 "DirectAdmin 1.561 - Multiple Vulnerabilities" webapps php InfinitumIT
2019-04-15 "CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)" remote php AkkuS
2019-04-12 "ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)" webapps php AkkuS
2019-04-10 "Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution" webapps php "Julien Ahrens"
2019-04-09 "Ashop Shopping Cart Software - 'bannedcustomers.php?blacklistitemid' SQL Injection" webapps php "Doğukan Karaciğer"
2019-02-27 "PHP 7.2 - 'imagecolormatch()' Out of Band Heap Write" remote php cfreal
2019-04-08 "WordPress Plugin Limit Login Attempts Reloaded 2.7.4 - Login Limit Bypass" webapps php isdampe
2019-04-08 "Tradebox CryptoCurrency - 'symbol' SQL Injection" webapps php "Abdullah Çelebi"
2019-04-08 "ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities" webapps php Ramikan
2019-04-08 "Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution" webapps php FelipeGaspar
2019-04-08 "Jobgator - 'experience' SQL Injection" webapps php "Ahmet Ümit BAYRAM"
2019-04-05 "WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery" webapps php "Peyman Forouzan"
2019-04-05 "WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)" remote php Metasploit
2019-04-04 "FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)" webapps php "Yilmaz Degirmenci"
2019-04-03 "PhreeBooks ERP 5.2.3 - Arbitrary File Upload" webapps php "Abdullah Çelebi"
2019-04-03 "Ashop Shopping Cart Software - SQL Injection" webapps php "Ahmet Ümit BAYRAM"
2019-04-03 "Clinic Pro v4 - 'month' SQL Injection" webapps php "Abdullah Çelebi"
2019-04-03 "iScripts ReserveLogic - SQL Injection" webapps php "Ahmet Ümit BAYRAM"
2019-04-03 "TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)" remote php AkkuS
2019-04-02 "phpFileManager 1.7.8 - Local File Inclusion" webapps php "Murat Kalafatoglu"
2019-04-02 "Fiverr Clone Script 1.2.2 - SQL Injection / Cross-Site Scripting" webapps php "Mr Winst0n"
2019-04-02 "CMS Made Simple < 2.2.10 - SQL Injection" webapps php "Daniele Scanu"
2019-04-02 "LimeSurvey < 3.16 - Remote Code Execution" webapps php q3rv0
2019-04-02 "WordPress Plugin PayPal Checkout Payment Gateway 1.6.8 - Parameter Tampering" webapps php "Vikas Chaudhary"
2019-04-02 "Inout RealEstate - 'city' SQL Injection" webapps php "Ahmet Ümit BAYRAM"
Release Date Title Type Platform Author
2019-03-28 "WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion" webapps php "Ali S. Ahmad"
2019-03-28 "WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion" webapps php "Ali S. Ahmad"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46619/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46619/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46619/41070/wordpress-plugin-loco-translate-221-local-file-inclusion/download/", "exploit_id": "46619", "exploit_description": "\"WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion\"", "exploit_date": "2019-03-28", "exploit_author": "\"Ali S. Ahmad\"", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Exploit Title: Wordpress Loco Translate (Version 2.2.1) Plugin LFI
# Google Dork: N/A
# Date: 03 / 26 / 2019
# Exploit Author: Ali S. Ahmad (S4R1N)
# Vendor Homepage: https://localise.biz/
# Software Link: https://wordpress.org/plugins/loco-translate/
# Version: (Version 2.2.1)
# Tested on: Debian GNU/Linux 9 (Docker)
# CVE : N/A
***********************************************************************
Discovered By: Ali S. Ahmad (S4R1N) 03 / 26 / 2019
***********************************************************************
A local file inclusion bug was discovered on the Wordpress Loco Translate (Version 2.2.1) Plugin. 

This bug can be exploited by any user who has acces to the plugin with the access levels ranging from subscriber to admin. Exploitation of the bug abuses the template editing fucntionality of the plugin and the file-view action, this allows a user to access any system file and view its contents. 
Exploitation can be done via two main methods, either using (..%2F..%2F..%2F..%2Fetc%2Fpasswd) or directly calling the file via file path (/etc/passwd).

***********************************************************************
Tools used : 
Attacker OS : Fedora 29 
Victim OS : Debian GNU/Linux 9 (running on docker)
Manual Testing tool : Burp Repeater / Browser
***********************************************************************
Proof of Concept (PoC):

Step 1 - Log into Wordpress instance
Step 2 - Make sure the given user has access to the plugin (can be confirmed on by checking the side panel for the Loco Translate Plugin)
Step 3 - Select the theme you would like 
Step 4 - Click edit template
Step 5 - Click Source (to view file source code)
Step 6 - In the url bar change path to the file you want to read (something like /etc/passwd), file path will then be visible. 

URL : the following should yeild the contents of /etc/passwd /wp-admin/admin.php?path=%2Fetc%2Fpasswd&bundle=twentynineteen&domain=twentynineteen&page=loco-theme&action=file-view