Advanced Access Manager < 5.9.9 – Unauthenticated Local File Inclusion

Description

The Advanced Access Manager WordPress plugin, versions before 5.9.9, allowed reading arbitrary files. This way one can download the wp-config.php file and get access to the database, which is publicly reachable on many servers.

The affected function was the printMedia() function in the application/Core/Media.php file.

Proof of Concept

http://example.com/?aam-media=wp-config.php

Affects Plugins

advanced-access-manager

Fixed in 5.9.9

References

URL

https://plugins.trac.wordpress.org/changeset/2098838/advanced-access-manager/trunk/application/Core/Media.php?old=2151316&old_path=advanced-access-manager%2Ftrunk%2Fapplication%2FCore%2FMedia.php

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

9.1 (critical)

Miscellaneous

Original Researcher

Ov3rfly

Submitter

Daniel Winzen

Submitter website

https://danwin1210.me

Verified

Yes

WPVDB ID

dfe62ff5-956c-4403-b3fd-55677628036b

Timeline

Publicly Published

2019-09-05 (about 6 years ago)

Added

2019-09-09 (about 6 years ago)

Last Updated

2021-04-23 (about 4 years ago)

Other

Published

Title

Published

2015-06-10

Title

Download Zip Attachments <= 1.0 - Arbitrary File Download

Published

2024-05-21

Title

WPZOOM Addons for Elementor (Templates, Widgets) < 1.1.38 - Unauthenticated Local File Inclusion

Published

2023-10-23

Title

ICS Calendar < 10.12.0.2 - Authenticated(Contributor+) Directory Traversal via _url_get_contents

Published

2025-07-15

Title

Counter live visitors for WooCommerce < 1.3.7 - Unauthenticated Arbitrary File Deletion in wcvisitor_get_block

Published

2024-04-18

Title

tagDiv Composer < 4.9 - Authenticated (Contributor+) Local File Inclusion via Shortcode