# Exploit Title: Payment Gateways Caller for WP e-Commerce for Wordpress
LFI Vulnerability
# Google Dork: None
# Date: 23/10/2013
# Exploit Author: k3170makan
# Vendor Homepage:
http://wordpress.org/plugins/payment-gateways-caller-for-wp-e-commerce/
# Software Link: https://github.com/andrezrv/wp-e-commerce-merchants-caller
# Version: <0.1.1
# Tested on: Ubuntu 12.04.2 LTS

Payment Gateways Caller for WP e-Commerce (before version 0.1.1) for
Wordpress suffers from a Local File inclusion vulnerability, this exposes
web servers running the plugin to critical information disclosure and path
traversal vulnerabilities and could enable remote or arbitrary code
execution due to the way the the vulnerability is caused.

Here's the code detailing the issue:

function wpscmc_load_merchant() {

    if ( wpscmo_ecommerce_is_installed(
) and !empty( $_GET['load_merchant'] ) ) {

      *  *include_once( wpscmo_get_merchants_path(). '/'.
$_GET['load_merchant'] . '.php' );

        die(); // This is required in order to avoid WP pages to load.

    }

}

The include_once call in the wpscmc_load_merchant function sources input
directly from a GET request allowing attackers to inject "../"'s and access
other files on the web servers file system.

This plugin has recently been updated with mitigation to prevent Local File
inclusion vulnerabilities in v0.1.1

< http://blog.k3170makan.com />