cbcvebase.
CVE-2018-20985
published 2019-08-22

CVE-2018-20985: The wp-payeezy-pay plugin before 2.98 for WordPress has local file inclusion in pay.php, donate.php, donate-rec, and pay-rec.

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.61%
93.8th percentile
The wp-payeezy-pay plugin before 2.98 for WordPress has local file inclusion in pay.php, donate.php, donate-rec, and pay-rec.

Affected

1 ranges
VendorProductVersion rangeFixed in
payeezywp_payeezy_pay< 2.982.98

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/wp-payeezy-pay/donate.php
path/wp-content/plugins/wp-payeezy-pay/donate.php
commandx_login=../../../wp-config
  • POST request to donate.php with body parameter x_login containing directory traversal sequence (../../../wp-config) indicates active LFI exploitation attempt against wp-payeezy-pay plugin.
  • Successful exploitation returns HTTP 200 with wp-config.php content in the response body; look for strings 'The base configuration for WordPress', 'define( \'DB_NAME\',', and 'define( \'DB_PASSWORD\',' simultaneously.
  • The LFI vulnerability also affects pay.php, donate-rec, and pay-rec files within the same plugin directory; monitor POST requests to all four endpoints for traversal payloads.
  • ·The LFI is triggered via the x_login POST parameter; the traversal depth (../../../) targets wp-config.php relative to the plugin directory — adjust depth based on actual WordPress installation path.
  • ·Versions 2.97 and prior are vulnerable; version 2.98 is the first patched release. Detections should scope to plugin version checks where possible.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.