WordPress Plugin Vulnerabilities

Videos sync PDF <= 1.7.4 - Unauthenticated LFI

Description

The plugin does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues

Proof of Concept

Affects Plugins

Plugin icon
video-synchro-pdf
No known fix

References

CVE
CVE-2022-1392
Exploitdb
50844
URL
https://packetstormsecurity.com/files/#166534/

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Hassan Khan Yusufzai - Splint3r7
Verified
Yes
WPVDB ID
fe3da8c1-ae21-4b70-b3f5-a7d014aa3815

Timeline

Publicly Published
2022-03-30 (about 3 years ago)
Added
2022-03-30 (about 3 years ago)
Last Updated
2022-04-20 (about 3 years ago)

Other

Published
Title
Published
2015-08-24
Title
Multi Plugin Installer < 1.2.0 - Unauthenticated File Traversal
Published
2025-07-11
Title
RSFirewall! < 1.1.43 - Authenticated (Admin+) Arbitrary File Read
Published
2024-12-30
Title
WPMasterToolKit < 1.14.0 - Authenticated (Admin+) Arbitrary File Download
Published
2024-06-06
Title
Ovic Importer <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Download
Published
2022-01-31
Title
Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI