cbcvebase.
CVE-2012-4915
published 2014-05-29

CVE-2012-4915: Directory traversal vulnerability in the Google Doc Embedder plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot…

PriorityP350medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
50.02%
98.8th percentile
Directory traversal vulnerability in the Google Doc Embedder plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to libs/pdf.php.

Affected

18 ranges
VendorProductVersion rangeFixed in
davistribegoogle_doc_embedder<= 2.5.3
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder
davistribegoogle_doc_embedder

Detection & IOCsextracted from sources · hover to see the quote

pathwp-content/plugins/google-document-embedder/libs/pdf.php
pathlibs/pdf.php
pathwp-config.php
url/wp-content/plugins/google-document-embedder/libs/pdf.php
commandGET /wp-content/plugins/google-document-embedder/libs/pdf.php?fn=<random>.pdf&file=../../../../wp-config.php
  • Detect GET requests to the vulnerable pdf.php endpoint containing directory traversal sequences ('..') in the 'file' query parameter.
  • Alert on HTTP GET requests to 'google-document-embedder/libs/pdf.php' with a 'file' parameter value containing '../' sequences, especially targeting 'wp-config.php'.
  • Monitor for HTTP 200 responses from pdf.php that contain WordPress config keywords such as 'allow_url_fopen', 'DB_HOST', 'DB_USER', 'DB_PASSWORD', or 'DB_NAME' in the response body, indicating successful credential exfiltration.
  • Watch for post-exploitation activity: after file disclosure, the attacker may authenticate to wp-login.php and then POST to theme-editor.php to write a PHP webshell into a theme's header.php.
  • Detect direct MySQL connections from the WordPress web server host to an external IP on port 3306 following a request to pdf.php, which may indicate the attacker is using harvested DB credentials.
  • ·The Metasploit exploit only works when the MySQL server is network-accessible from the attacker and WordPress has filesystem write access; environments with MySQL bound to localhost only or read-only filesystems are not fully exploitable beyond credential disclosure.
  • ·The admin account password may be permanently changed if the exploit does not complete cleanly; defenders should audit admin password changes as a post-exploitation indicator.
  • ·Affected versions are Google Document Embedder 2.4.6 and below; versions 2.5.4 and above are patched.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.