In a previous post we looked at a local file inclusion (LFI) vulnerability in the plugin SAM Pro (Free Edition), since that is described as successor to Simple Ads Manager (the plugin is currently removed from the Plugin Directory) we took a look to see if it also had the same vulnerability. As it turned out the plugin was not really vulnerable until the same change made to try to fix the issue in SAM Pro (Free Edition), was made to this plugin.

In the prior version, 2.9.8.125, you can see that the file to be included was not user specified (as seen in the file /sam-ajax-admin.php): [Read more]