Exploiting WordPress Plugins



The epitome of shitty design, aka baby’s first program also known as the wordpress plugin. There area SHITLOAD of these floating around the internet. Most of which promise the same shit – increased ad revenue, dumbing down an already easy to do process (such as auto-tweeting your lame posts), posting a bunch of crappy SEO keywords to reach the top of google’s page ranks and of course, making your blog look nice.The downside to these plugins is that there is no central authority behind whats good and whats not.


Obvious LFI / RFI

* Version:                Beta 0.5.0 (3-October-2009)
* Homepage:                http://www.fusionhq.com
* Author:                Pitipong Guntawong ([email protected])
* Copyright 2009:        FusionHQ.com (http://www.fusionhq.com)
* Licensed Under:        LGPL
* This program (library) is free software: you can redistribute it
and/or modify
* it under the terms of the GNU Lesser General Public License as
published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* GNU Lesser General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program.  If not, see <http://www.gnu.org/licenses/>.
************************************************************************************/$path= “upload/”.$HTTP_POST_FILES[‘ufile’][‘name’];
$msg = “”;$uploadqueue = NULL;
require_once ‘include_process_’.$_GET[‘process’].’.php’;if($_POST[‘act’]==’upload’  &&  $ufile !=none)
if(copy($HTTP_POST_FILES[‘ufile’][‘tmp_name’], $path))
//echo “Successful<BR/>”;

//$HTTP_POST_FILES[‘ufile’][‘name’] = file name
//$HTTP_POST_FILES[‘ufile’][‘size’] = file size
//$HTTP_POST_FILES[‘ufile’][‘type’] = type of file
$detail .= “<br>File Name

In this code tidbit, we see an obvious LFI in the require_once() function. No stripping, no checking, no nothing. Exploitation is as simple as appending ‘?process=/path/to/include’ to the url.

In my many findings, the number one vulnerability in word press plugins is the lack of checking for administrative rights. Direct file access is not checked either (unlike the typical convention of joomla modules) which check for that sort of thing.

Most wordpress plugins can be downloaded from the wordpress.org main site, however the buggiest ones are the ones stored elsewhere by private developers. The ones who aim to make a quick buck on their ‘hit generation spamming’.  Just google ‘seo + wordpress’.




It’s late so I’ll hit a few more later.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.