what you don't know can hurt you

WordPress Subscribe To Comments 2.1.2 LFI / Code Execution

WordPress Subscribe To Comments 2.1.2 LFI / Code Execution
Posted Jul 15, 2015
Authored by Tom Adams

WordPress Subscribe to Comments plugin version 2.1.2 suffers from code execution and local file inclusion vulnerabilities.

tags | exploit, local, vulnerability, code execution, file inclusion
MD5 | 74bb03c43ffa128d12ddf90e4b08b387

WordPress Subscribe To Comments 2.1.2 LFI / Code Execution

Change Mirror Download
Details
================
Software: Subscribe to Comments
Version: 2.1.2
Homepage: http://wordpress.org/plugins/subscribe-to-comments/
Advisory report: https://security.dxw.com/advisories/admin-only-local-file-inclusion-and-arbitrary-code-execution-in-subscribe-to-comments-2-1-2/
CVE: Awaiting assignment
CVSS: 8 (High; AV:N/AC:L/Au:S/C:C/I:P/A:P)

Description
================
Admin-only local file inclusion and arbitrary code execution in Subscribe to Comments 2.1.2

Vulnerability
================
Administrators can perform Local File include attacks, which is a privilege escalation on systems where the administrator doesn’t have control over the server.
If administrators can upload PHP files (or any file which can contain “<?php …”), they can also perform arbitrary code execution by the same method.

Proof of concept
================

http://localhost/wp-admin/options-general.php?page=stc-options
Set “Path to header” to “/etc/passwd”
Check “Use custom style for Subscription Manager”
“Update Options”
https://localhost/?wp-subscription-manager=1


Mitigations
================
Upgrade to version 2.3 or later

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================
2013-08-07: Discovered
2015-07-13: Reported to vendor by email
2015-07-13: Requested CVE
2015-07-14: Vendor responded confirming fixed in version 2.3
2015-07-14: Published


Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.




Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    15 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close