← back
CVE-2018-25324

Simple Fields 0.2-0.3.5 Local File Inclusion via wp_abspath

CVSS 6.9 MEDIUMEPSS 0.5%CWE-98
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the wp_abspath parameter on PHP versions before 5.3.4. Attackers can supply malicious wp_abspath values to simple_fields.php to include files like /etc/passwd or inject PHP code into Apache logs for remote code execution when allow_url_include is enabled.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
Simple-Fields · Simple Fields
public PoCs found1
cve_referencewww.exploit-db.com/exploits/44425unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://downloads.wordpress.org/plugin/simple-fields.0.3.5.ziphttp://simple-fields.comhttps://www.exploit-db.com/exploits/44425https://www.vulncheck.com/advisories/simple-fields-local-file-inclusion-via-wp-abspath