CVE-2012-4915
published 2014-05-29CVE-2012-4915: Directory traversal vulnerability in the Google Doc Embedder plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot…
PriorityP350medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
50.02%
98.8th percentile
Directory traversal vulnerability in the Google Doc Embedder plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to libs/pdf.php.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| davistribe | google_doc_embedder | <= 2.5.3 | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
| davistribe | google_doc_embedder | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandGET /wp-content/plugins/google-document-embedder/libs/pdf.php?fn=<random>.pdf&file=../../../../wp-config.php↗
- →Detect GET requests to the vulnerable pdf.php endpoint containing directory traversal sequences ('..') in the 'file' query parameter. ↗
- →Alert on HTTP GET requests to 'google-document-embedder/libs/pdf.php' with a 'file' parameter value containing '../' sequences, especially targeting 'wp-config.php'. ↗
- →Monitor for HTTP 200 responses from pdf.php that contain WordPress config keywords such as 'allow_url_fopen', 'DB_HOST', 'DB_USER', 'DB_PASSWORD', or 'DB_NAME' in the response body, indicating successful credential exfiltration. ↗
- →Watch for post-exploitation activity: after file disclosure, the attacker may authenticate to wp-login.php and then POST to theme-editor.php to write a PHP webshell into a theme's header.php. ↗
- →Detect direct MySQL connections from the WordPress web server host to an external IP on port 3306 following a request to pdf.php, which may indicate the attacker is using harvested DB credentials. ↗
- ·The Metasploit exploit only works when the MySQL server is network-accessible from the attacker and WordPress has filesystem write access; environments with MySQL bound to localhost only or read-only filesystems are not fully exploitable beyond credential disclosure. ↗
- ·The admin account password may be permanently changed if the exploit does not complete cleanly; defenders should audit admin password changes as a post-exploitation indicator. ↗
- ·Affected versions are Google Document Embedder 2.4.6 and below; versions 2.5.4 and above are patched. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Google Document Embedder - Arbitrary File Disclosure (Metasploit)
exploitdb·2013-01-08
CVE-2012-4915 WordPress Plugin Google Document Embedder - Arbitrary File Disclosure (Metasploit)
WordPress Plugin Google Document Embedder - Arbitrary File Disclosure (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rbmysql'
class Metasploit3 'WordPress Plugin Google Document Embedder Arbitrary File Disclosure',
'Description' => %q{
This module exploits an arbitrary file disclosure flaw in the WordPress
blogging software plugin known as Google Document Embedder. The vulnerability allows for
database credential disclosure via the /libs/pdf.php script. The Google Document Embedder
plug-in versions 2.4.6 and below are vulnerable. This exploit only works wh
Metasploit
WordPress Plugin Google Document Embedder Arbitrary File Disclosure
metasploit
WordPress Plugin Google Document Embedder Arbitrary File Disclosure
WordPress Plugin Google Document Embedder Arbitrary File Disclosure
This module exploits an arbitrary file disclosure flaw in the WordPress blogging software plugin known as Google Document Embedder. The vulnerability allows for database credential disclosure via the /libs/pdf.php script. The Google Document Embedder plug-in versions 2.4.6 and below are vulnerable. This exploit only works when the MySQL server is exposed on an accessible IP and WordPress has filesystem write access. Please note: The admin password may get changed if the exploit does not run to the end.
No writeups or analysis indexed.
http://osvdb.org/88891http://secunia.com/advisories/50832http://www.securityfocus.com/bid/57133https://exchange.xforce.ibmcloud.com/vulnerabilities/80930http://osvdb.org/88891http://secunia.com/advisories/50832http://www.securityfocus.com/bid/57133https://exchange.xforce.ibmcloud.com/vulnerabilities/80930
2014-05-29
Published