Local File Inclusion (LFI)

Introduction

This article covers ways to secure the code from Local File Inclusion vulnerability on WordPress. This includes applying a proper function to check for the user’s input.

Learn more about Local File Inclusion

How to secure

In general, do not allow users to fully control string passed to these functions:

• include
• include_once
• require
• require_once

In some cases, where users can supply part of the string passed to the above functions, apply a proper limitation. The most ideal way to secure the code is a whitelist check on what .php files can be included by the users. Make sure to also directly put a .php string at the end of the formatted string, so users are only able to include a .php file and not other files:

add_action("init", "load_template_public");

function load_template_public(){
    $template = $_GET["template"];
    $allowed = array("sun", "moon", "water", "earth", "ocean");

    if(in_array($template, $allowed)){
        include __DIR__ . "/public/templates/{$template}.php";
    }
}

In some cases where users are allowed to include all of the .php files inside a directory, applying a standard sanitization using the sanitize_file_name function could also work:

add_action("init", "load_template_public");

function load_template_public(){
    $template = $_GET["template"];
    $template = sanitize_file_name($template);

    include __DIR__ . "/public/templates/{$template}.php";
}