Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "WordPress Ad Widget 2.11.0 - Local File Inclusion" module is designed to detect a vulnerability in the WordPress Ad Widget plugin version 2.11.0. This vulnerability allows an attacker to exploit a local file inclusion (LFI) vulnerability in the plugin, potentially leading to the disclosure of sensitive information. The severity of this vulnerability is classified as high.
This module was authored by 0x_Akoko.
Exploiting the local file inclusion vulnerability in the WordPress Ad Widget plugin can allow an attacker to access sensitive information that could be used for further attacks. This information disclosure can pose a significant risk to the security and privacy of the affected WordPress website.
The module sends an HTTP GET request to the vulnerable endpoint:
/wp-content/plugins/ad-widget/views/modal/?step=../../../../../../../etc/passwd%00
The module then applies two matching conditions:
- Regex Matcher: The module checks if the response contains the string "root:[x*]:0:0". If this string is found, it indicates that the module has successfully exploited the local file inclusion vulnerability. - Status Matcher: The module checks if the HTTP response status is 200. If the status is 200, it confirms that the vulnerable endpoint is accessible.If both matching conditions are met, the module reports the vulnerability.