# Exploit Title: Payment Gateways Caller for WP e-Commerce for Wordpress LFI Vulnerability # Google Dork: None # Date: 23/10/2013 # Exploit Author: k3170makan # Vendor Homepage: http://wordpress.org/plugins/payment-gateways-caller-for-wp-e-commerce/ # Software Link: https://github.com/andrezrv/wp-e-commerce-merchants-caller # Version: <0.1.1 # Tested on: Ubuntu 12.04.2 LTS Payment Gateways Caller for WP e-Commerce (before version 0.1.1) for Wordpress suffers from a Local File inclusion vulnerability, this exposes web servers running the plugin to critical information disclosure and path traversal vulnerabilities and could enable remote or arbitrary code execution due to the way the the vulnerability is caused. Here's the code detailing the issue: function wpscmc_load_merchant() { if ( wpscmo_ecommerce_is_installed( ) and !empty( $_GET['load_merchant'] ) ) { * *include_once( wpscmo_get_merchants_path(). '/'. $_GET['load_merchant'] . '.php' ); die(); // This is required in order to avoid WP pages to load. } } The include_once call in the wpscmc_load_merchant function sources input directly from a GET request allowing attackers to inject "../"'s and access other files on the web servers file system. This plugin has recently been updated with mitigation to prevent Local File inclusion vulnerabilities in v0.1.1 < http://blog.k3170makan.com />