logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WP Image Zoom < 1.47 - Local File Inclusion

Description

The plugin did not validate its tab parameter before using it in the include_once() function, leading to a local file inclusion issue in the admin dashboard

Proof of Concept

PoC: https://example.com/wp-admin/admin.php?page=zoooom_settings&tab=whatever

This URL shows include_once error, which indicates that the parameter is not sanitized.

Affects Plugins

wp-image-zoooom

Fixed in version 1.47

References

CVE

CVE-2021-24447

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

fb9dbcdf-4ffd-484d-9b67-283683d050fd

Timeline

Publicly Published

2021-06-23 (about 4 months ago)

Added

2021-06-23 (about 4 months ago)

Last Updated

2021-06-23 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin