Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

WordPress tutor 1.5.3 - Local File Inclusion

By kannthu

High
Vidoc logoVidoc Module
#wordpress#wp-plugin#lfi#edb
Description

What is the "WordPress tutor 1.5.3 - Local File Inclusion?"

The "WordPress tutor 1.5.3 - Local File Inclusion" module is designed to detect a vulnerability in the WordPress tutor plugin version 1.5.3. This vulnerability allows an attacker to include local files on the server, potentially leading to unauthorized access or information disclosure. The severity of this vulnerability is classified as high.

This module was authored by 0x240x23elu.

Impact

If successfully exploited, the local file inclusion vulnerability in the WordPress tutor plugin can allow an attacker to access sensitive files on the server. This could include configuration files, user credentials, or other sensitive information. The attacker may also be able to execute arbitrary code, leading to further compromise of the affected system.

How the module works?

The module sends an HTTP GET request to the "/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=/etc/passwd" path. It then checks the response body for the presence of the string "root:.*:0:0:". If this string is found, the module considers the vulnerability to be present.

By exploiting this vulnerability, an attacker can retrieve the contents of the "/etc/passwd" file, which typically contains user account information.

It is important to note that this module is just one test case used in the Vidoc platform for scanning purposes.

For more information about this vulnerability, you can refer to the Exploit Database.

Metadata: max-request: 1

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/wp-content/plugins/...
Matching conditions
regex: root:.*:0:0:
Passive global matcher
No matching conditions.
On match action
Report vulnerability