cbcvebase.
CVE-2019-14205
published 2019-07-21

CVE-2019-14205: A Local File Inclusion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to retrieve arbitrary files via…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
63.38%
99.1th percentile
A Local File Inclusion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to retrieve arbitrary files via the $REQUEST['adaptive-images-settings']['source_file'] parameter in adaptive-images-script.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
nevmaadaptive_images< 0.6.670.6.67

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/adaptive-images/adaptive-images-script.php
url{{BaseURL}}/wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php
  • Look for GET requests to adaptive-images-script.php with the 'adaptive-images-settings[source_file]' parameter containing path traversal sequences (e.g., '../').
  • Successful exploitation of the LFI targeting wp-config.php will return a response body containing both 'DB_NAME' and 'DB_PASSWORD' strings with HTTP 200.
  • ·The vulnerability exists only in Nevma Adaptive Images plugin versions before 0.6.67 for WordPress. Patched at version 0.6.67.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.