WordPress Plugin Vulnerabilities

Videos sync PDF <= 1.7.4 - Unauthenticated LFI

Description

The plugin does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues

Proof of Concept

https://example.com/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=LFI

Affects Plugins

Plugin icon
video-synchro-pdf
No known fix

References

CVE
CVE-2022-1392
Exploitdb
50844
URL
https://packetstormsecurity.com/files/#166534/

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Hassan Khan Yusufzai - Splint3r7
Verified
Yes
WPVDB ID
fe3da8c1-ae21-4b70-b3f5-a7d014aa3815

Timeline

Publicly Published
2022-03-30 (about 2 years ago)
Added
2022-03-30 (about 2 years ago)
Last Updated
2022-04-20 (about 2 years ago)

Other

Published
Title
Published
2016-08-23
Title
Mail Masta <= 1.0 - Unauthenticated Local File Inclusion (LFI)
Published
2014-08-01
Title
Page Flip Image Gallery <= 0.2.2 - Remote FD Vuln
Published
2023-12-22
Title
Backup Migration < 1.4.0 - Unauthenticated Path Traversal to Arbitrary File Deletion
Published
2017-09-21
Title
Smush Image Compression and Optimization <= 2.7.5 - File Transversal
Published
2014-08-01
Title
Cross RSS 1.7 - proxy.php rss Parameter Local File Inclusion