CVE-2015-8351
CVE-2015-8351
PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.
Affected products
n/a · n/apublic PoCs found — 6
githubgithub.com/G4sp4rCS/exploit-CVE-2015-8351★ 2githubgithub.com/G01d3nW01f/CVE-2015-8351★ 1githubgithub.com/Philip-Otter/CVE-2015-8351_Otter_Remix★ 0cve_referencepacketstormsecurity.com/files/134599/WordPress-Gwolle-Guestbook-1.5.3-Remote-File-Inclusion.htmlunverifiedcve_referencewww.exploit-db.com/exploits/38861/unverifiedexploitdbwww.exploit-db.com/exploits/38861unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/134599/WordPress-Gwolle-Guestbook-1.5.3-Remote-File-Inclusion.htmlhttps://wordpress.org/plugins/gwolle-gb/changelog/https://www.exploit-db.com/exploits/38861/https://www.htbridge.com/advisory/HTB23275http://www.securityfocus.com/archive/1/537020/100/0/threaded