Themes Vulnerabilities

ChurcHope Theme <= 2.1 - Local File Inclusion (LFI)

Description

The vulnerability is caused by improper filtration of user-supplied input passed via the 'file' HTTP GET parameter to the '/lib/downloadlink.php' script, which is publicly accessible.

Proof of Concept

Affects Themes

churchope
Fixed in 2.2

References

URL
https://themeforest.net/item/churchope-responsive-wordpress-theme/2708562?s_rank=1
URL
https://themeforest.net/item/churchope-responsive-wordpress-theme/2708562/comments?page=97

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Submitter
Justin Smith
Verified
No
WPVDB ID
3c5833bd-1fe0-4eba-97aa-7d3a0c8fda15

Timeline

Publicly Published
2014-12-07 (about 11 years ago)
Added
2014-12-07 (about 11 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2024-02-01
Title
Popup More < 2.2.5 - Admin+ Directory Traversal to Limited Local File Inclusion
Published
2025-03-25
Title
Jobs for WordPress < 2.7.12 - Authenticated (Subscriber+) Arbitrary File Read
Published
2025-08-27
Title
Printeers Print & Ship <= 1.17.0 - Unauthenticated Path Traversal
Published
2015-08-24
Title
Multi Plugin Installer < 1.2.0 - Unauthenticated File Traversal
Published
2023-04-18
Title
YARPP - Yet Another Related Posts Plugin < 5.30.5 - Subscriber+ LFI