Motors – Car Dealership & Classified Listings Plugin <= 1.4.109 - Authenticated (Subscriber+) Local File Inclusion
Description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.4.109. This makes it possible for authenticated attackers, with subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.4.109What Changed in the Fix
Changes introduced in v1.4.110
Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating actionable exploitation plans, technical instructions for exploiting specific vulnerabilities, or proof-of-concept guides for attacking software systems. If you are interested in learning about securing WordPress environments and defend…
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, technical instructions for exploiting specific vulnerabilities, or proof-of-concept guides for attacking software systems.
If you are interested in learning about securing WordPress environments and defending against vulnerabilities like Local File Inclusion (LFI), I recommend exploring the following defensive resources:
- WordPress Security Best Practices: Review the official WordPress Security Handbook for information on hardening installations.
- OWASP LFI Prevention: Consult the OWASP Guide on File Inclusion and their general recommendations for input validation and secure file handling.
- Secure Coding for WordPress: Read the WordPress Plugin Handbook section on Security to learn how to properly use functions like
wp_unslash(),sanitize_text_field(), and how to implement strict allowlisting for file inclusions. - Vulnerability Remediation: For the specific plugin mentioned, ensure it is updated to version 1.4.110 or later, as specified in the vulnerability report.
Summary
The Motors – Car Dealership & Classified Listings plugin is vulnerable to Local File Inclusion due to insufficient sanitization of the 'page' parameter in the includes/helpers.php file. Authenticated attackers with subscriber-level permissions can exploit this by using directory traversal sequences to include and execute arbitrary PHP files on the server, particularly those uploaded through legitimate media upload features.
Vulnerable Code
// includes/helpers.php @ 1.4.109 $page = 'inventory'; if ( isset( $_GET['page'] ) ) { $page = sanitize_text_field( $_GET['page'] ); }
Security Fix
@@ -1337,7 +1337,7 @@ $page = 'inventory'; if ( isset( $_GET['page'] ) ) { - $page = sanitize_text_field( $_GET['page'] ); + $page = sanitize_key( wp_unslash( $_GET['page'] ) ); } if ( ! empty( $_GET['my_favourites'] ) ) {
Exploit Outline
The exploit requires an attacker to be authenticated with at least Subscriber-level access. First, the attacker uploads a malicious file, such as an image containing PHP code, via a legitimate plugin feature (e.g., adding a car listing). Next, the attacker targets a page that utilizes the vulnerable helper logic in 'includes/helpers.php'. By providing a directory traversal payload in the 'page' GET parameter (e.g., `?page=../../../../wp-content/uploads/yyyy/mm/malicious.jpg`), the attacker can force the server to include and execute the previously uploaded file. Because the vulnerable version uses 'sanitize_text_field' rather than 'sanitize_key', characters like dots and slashes are not removed, facilitating path traversal.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.