cbcvebase.
CVE-2015-8351
published 2017-09-11

CVE-2015-8351: PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote…

PriorityP179critical9CVSS 3.0
AVNACHPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
37.03%
98.3th percentile
PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.

Affected

1 ranges
VendorProductVersion rangeFixed in
gwolle_guestbook_projectgwolle_guestbook<= 1.5.3

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php
  • Monitor HTTP GET requests to ajaxresponse.php containing a URL or directory traversal sequence in the 'abspath' parameter, indicating RFI or LFI exploitation attempts.
  • Alert on requests to /wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php with an external URL value in the abspath parameter (RFI vector).
  • LFI exploitation is possible even when allow_url_include is disabled; monitor for directory traversal sequences (e.g., ../) in the abspath parameter regardless of server configuration.
  • ·RFI exploitation requires allow_url_include to be set to 1 in PHP configuration; LFI exploitation is possible regardless of this setting.

CVSS provenance

nvdv3.09.0CRITICALCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.