14 May 2019

Authenticated Local File Inclusion (LFI) Vulnerability in Photo Gallery by 10Web

Earlier today we detailed a vulnerability for our customers in a plugin by 10Web/TenWeb/Web-Dorado, where, while the vulnerability was fixed, the code still wasn’t properly secured. So that made what we then found while looking into the possibility that a vulnerability had also been fixed in their Photo Gallery (Photo Gallery by 10Web) plugin not all that surprising. While trying to confirm that there had been authenticated persistent cross-site scripting (XSS) vulnerability that had been fixed in the plugin we got an error message that indicated there was and we then confirmed still is an authenticated local file inclusion (LFI) vulnerability in the plugin. It really isn’t a great sign as the security of WordPress plugins that you can accidentally run into a vulnerability in a plugin with 300,000+ installs (according to wordpress.org).

The error message indicated that user input from a shortcode generated through the plugin was being passed in to the following line of code in the file /frontend/controllers/controller.php through the variable $view: [Read more]