Crayon Syntax Highlighter < 2.7.0 – Local File Disclosure | Plugin Vulnerabilities

Description

The local file syntax highlighting feature of Crayon Syntax Highlighter doesn't check the path of the file to process. Also, by default, this feature is usable through public comments. This allows unauthenticated visitors to see the content of any file where the web server has read permissions, such as PHP source files or configuration files.

CVSSv2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Proof of Concept

For example, just by posting a comment containing the following code on a website using this plugin, an attacker could see the content of /etc/password :
<pre class="lang:php" data-url="/../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"></pre>

Affects Plugins

crayon-syntax-highlighter

Fixed in 2.7.0

References

URL

http://www.kevinsubileau.fr/informatique/hacking-securite/crayon-syntax-highlighter-local-file-disclosure-vulnerability.html

Classification

Type

LFI

OWASP top 10

CWE

Miscellaneous

Submitter

Kevin Subileau

Submitter website

http://www.kevinsubileau.fr

Submitter twitter

Verified

No

WPVDB ID

c9595de9-5f05-4d50-9312-18f9d6843b7a

Timeline

Publicly Published

2015-04-14 (about 11 years ago)

Added

2015-04-15 (about 11 years ago)

Last Updated

2019-10-21 (about 6 years ago)

Other

Published

Title

Published

2025-10-24

Title

Creta Testimonial Showcase < 1.2.4 - Editor+ Local File Inclusion

Published

2026-02-26

Title

Directory Listings WordPress plugin – uListing <= 2.2.0 - Authenticated (Editor+) Arbitrary File Download

Published

2025-06-30

Title

Aviation Weather from NOAA <= 0.7.2 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2024-01-19

Title

Photo Gallery by 10Web - Mobile-Friendly Image Gallery < 1.8.20 - Directory Traversal to Arbitrary File Rename

Published

2014-08-01

Title

Payment Gateways Caller for WP e-Commerce 0.1.0 - load_merchant Parameter Traversal Local file Inclusion