SE HTML5 Album Audio Player <= 1.1.0 – Local File Include | CVE 2015-4414

Description

The se-html5-album-audio-player v1.1.0 plugin for wordpress has a local file include vulnerability. The download_audio.php file does not check to see
if the user is authenticated, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.

Proof of Concept

http://www.example.com/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd

Affects Plugins

se-html5-album-audio-player

No known fix

References

CVE

CVE-2015-4414

Exploitdb

37274

URL

https://packetstormsecurity.com/files/#132266/

URL

https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_se_html5_album_audioplayer_file_read.rb

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

Miscellaneous

Submitter

Larry Cashdollar

Submitter twitter

_larry0

Verified

WPVDB ID

934940ff-bf21-4ff4-b72f-1b73ace8f3be

Timeline

Publicly Published

2015-06-06 (about 10 years ago)

Added

2015-06-08 (about 10 years ago)

Last Updated

2019-10-22 (about 6 years ago)

Other

Published

Title

Published

2024-06-06

Title

Qi Addons For Elementor < 1.7.3 - Authenticated (Contributor+) Local File Inclusion

Published

2012-07-10

Title

A Page Flip Book 2.3 - index.php pageflipbook_language Parameter Traversal Local File Inclusion

Published

2018-09-19

Title

Localize My Post 1.0 - Unauthenticated Local File Inclusion (LFI)

Published

2024-06-03

Title

Checkout Field Editor for WooCommerce (Pro) < 3.6.3 - Unauthenticated Arbitrary File Deletion

Published

2024-05-17

Title

Download Plugins and Themes from Dashboard < 1.8.6 - Authenticated (Admin+) Arbitrary File Download