Local File Inclusion (LFI)

Introduction

This article covers cases of possible LFI on WordPress. This includes improper file inclusion inside of the plugin/theme which can be used to gain RCE on the server.

Learn how to secure your code against Local File Inclusion

Useful Functions

Several functions could be useful to identify a possible LFI vulnerability:

• include
• include_once
• require
• require_once

Example Cases

Below is an example of vulnerable code:

add_action("wp_ajax_nopriv_render_lesson", "render_lesson_template");

function render_lesson_template(){
    $template_path      = urldecode( $_GET['template_path'] ?? '' );

    // For custom template return all list of lessons
    include $template_path;
    die();
}

To exploit this, any unauthenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php endpoint specifying the needed parameter to trigger the include function.

curl <WORDPRESS_BASE_URL>/wp-admin/admin-ajax.php?action=render_lesson&template_path=/etc/passwd

Below are some of the findings related to Local File Inclusion:

• Critical Vulnerabilities Patched in REHub Theme and Plugin
• Security Vulnerability In OceanWP Theme <= 3.4.1
• Vulnerability In Rank Math SEO Plugin
• Multiple Critical Vulnerabilities Fixed In LearnPress Plugin Version <= 4.1.7.3.2