WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Videos sync PDF <= 1.7.4 - Unauthenticated LFI

Description

The plugin does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues

Proof of Concept

https://example.com/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=LFI

Affects Plugins

video-synchro-pdf
No known fix - plugin closed

References

CVE
CVE-2022-1392
URL
https://packetstormsecurity.com/files/166534/
ExploitDB
50844

Classification

Type

LFI

OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Original Researcher

Hassan Khan Yusufzai - Splint3r7

Verified

Yes

WPVDB ID
fe3da8c1-ae21-4b70-b3f5-a7d014aa3815

Timeline

Publicly Published

2022-03-30 (about 3 months ago)

Added

2022-03-30 (about 3 months ago)

Last Updated

2022-04-20 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin