Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Tinymce Thumbnail Gallery <=1.0.7 - Local File Inclusion

By kannthu

Vidoc logoVidoc Module

This content outlines the functionality and purpose of the Tinymce Thumbnail Gallery module, designed for the Vidoc platform. This module has been identified to detect a high severity vulnerability within versions 1.0.7 and earlier of the Tinymce Thumbnail Gallery. The module focuses on detecting a local file inclusion via the download-image.php file, a security concern that could have sizable impact on the associated software. Authored by 0x_Akoko, it specifically targets WordPress applications, offering a tool to confine and report potential vulnerabilities.


With a CVSS Score of 7.5, this module detects a high severity vulnerability. Those running versions 1.0.7 or before of Tinymce Thumbnail Gallery on a WordPress site are susceptible to local file inclusion, a potent security threat that can lead to unauthorised access to server data. Quick detection and action against such a vulnerability can prevent data breaches and maintain the security of your online resources.

How the Module Works

The module works by carrying out HTTP requests and matching conditions to identify the vulnerability. It utilizes a GET method with a specifically crafted path targeting the download-image.php file in the Tinymce Thumbnail Gallery. Here's a simpler example of an HTTP request made by the module:

GET /wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php HTTP/1.1

Upon sending the request, it checks the response body for certain strings, "DB_NAME", and "DB_PASSWORD". The module matches these words and verifies the status code of 200. Both of these conditions need to be met for the vulnerability to be reported. If either condition is unmet, the module will not report a vulnerability, thus reducing false positives and ensuring that only accurate and substantial threats are identified.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Matching conditions
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability