PHP file inclusion in Adaptive Images for WordPress

#VU19312 PHP file inclusion in Adaptive Images for WordPress

Published: 2020-03-18

Vulnerability identifier: #VU19312

Vulnerability risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-14205

CWE-ID: CWE-98

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Adaptive Images for WordPress
Web applications / Modules and components for CMS

Vendor: Nevma

Description

The vulnerability allows a remote attacker to include arbitrary file on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences passed via the "$_REQUEST['adaptive-images-settings']['source_file']" parameter in "adaptive-images-script.php". A remote attacker can set in an arbitrary way the file requested that will be served from the script.

PoC:

http://[host]/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=../../../wp-config.php

http://[host]/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=/etc/passwd

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Adaptive Images for WordPress: 0.2.08 - 0.6.66

External links
http://github.com/markgruffer/markgruffer.github.io/blob/master/_posts/2019-07-19-adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.markdown
http://markgruffer.github.io/2019/07/19/adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Nevma Adaptive Images for WordPress