Menu

Improved exploit search engine. Try it out

"WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion"

Author

"Ali S. Ahmad"

Platform

php

Release date

2019-03-28

Release Date Title Type Platform Author
2019-06-20 "WebERP 4.15 - SQL injection" webapps php "Semen Alexandrovich Lyhin"
2019-06-17 "AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)" remote php AkkuS
2019-06-12 "FusionPBX 4.4.3 - Remote Command Execution" webapps php "Dustin Cobb"
2019-06-11 "phpMyAdmin 4.8 - Cross-Site Request Forgery" webapps php Riemann
2019-06-11 "WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution" webapps php xulchibalraa
2019-06-10 "UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting" webapps php Unk9vvN
2019-06-04 "IceWarp 10.4.4 - Local File Inclusion" webapps php JameelNabbo
2019-06-03 "WordPress Plugin Form Maker 1.13.3 - SQL Injection" webapps php "Daniele Scanu"
2019-06-03 "KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities" webapps php SlidingWindow
2019-05-29 "pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting" webapps php "Chi Tran"
2019-05-24 "Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC" webapps php "Todor Donev"
2019-05-23 "Nagios XI 5.6.1 - SQL injection" webapps php JameelNabbo
2019-05-22 "Horde Webmail 5.2.22 - Multiple Vulnerabilities" webapps php InfinitumIT
2019-05-21 "WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities" webapps php "Simone Quatrini"
2019-05-21 "Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting" webapps php "Dionach Ltd"
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-20 "eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution" webapps php liquidsky
2019-05-20 "GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-17 "Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution" webapps php "numan türle"
2019-05-16 "DeepSound 1.0.4 - SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-15 "Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting" webapps php LiquidWorm
2019-05-15 "CommSy 8.6.5 - SQL injection" webapps php "Jens Regel_ Schneider_ Wulf"
2019-05-14 "PasteShr 1.6 - Multiple SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-14 "Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection" webapps php "Julien Ahrens"
2019-05-14 "Sales ERP 8.1 - Multiple SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-14 "PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)" remote php AkkuS
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2019-05-13 "XOOPS 2.5.9 - SQL Injection" webapps php "felipe andrian"
2019-05-13 "SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - SQL Injection" webapps php LiquidWorm
Release Date Title Type Platform Author
2019-03-28 "WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion" webapps php "Ali S. Ahmad"
2019-03-28 "WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion" webapps php "Ali S. Ahmad"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46619/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46619/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46619/41070/wordpress-plugin-loco-translate-221-local-file-inclusion/download/", "exploit_id": "46619", "exploit_description": "\"WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion\"", "exploit_date": "2019-03-28", "exploit_author": "\"Ali S. Ahmad\"", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Exploit Title: Wordpress Loco Translate (Version 2.2.1) Plugin LFI
# Google Dork: N/A
# Date: 03 / 26 / 2019
# Exploit Author: Ali S. Ahmad (S4R1N)
# Vendor Homepage: https://localise.biz/
# Software Link: https://wordpress.org/plugins/loco-translate/
# Version: (Version 2.2.1)
# Tested on: Debian GNU/Linux 9 (Docker)
# CVE : N/A
***********************************************************************
Discovered By: Ali S. Ahmad (S4R1N) 03 / 26 / 2019
***********************************************************************
A local file inclusion bug was discovered on the Wordpress Loco Translate (Version 2.2.1) Plugin. 

This bug can be exploited by any user who has acces to the plugin with the access levels ranging from subscriber to admin. Exploitation of the bug abuses the template editing fucntionality of the plugin and the file-view action, this allows a user to access any system file and view its contents. 
Exploitation can be done via two main methods, either using (..%2F..%2F..%2F..%2Fetc%2Fpasswd) or directly calling the file via file path (/etc/passwd).

***********************************************************************
Tools used : 
Attacker OS : Fedora 29 
Victim OS : Debian GNU/Linux 9 (running on docker)
Manual Testing tool : Burp Repeater / Browser
***********************************************************************
Proof of Concept (PoC):

Step 1 - Log into Wordpress instance
Step 2 - Make sure the given user has access to the plugin (can be confirmed on by checking the side panel for the Loco Translate Plugin)
Step 3 - Select the theme you would like 
Step 4 - Click edit template
Step 5 - Click Source (to view file source code)
Step 6 - In the url bar change path to the file you want to read (something like /etc/passwd), file path will then be visible. 

URL : the following should yeild the contents of /etc/passwd /wp-admin/admin.php?path=%2Fetc%2Fpasswd&bundle=twentynineteen&domain=twentynineteen&page=loco-theme&action=file-view