CVE-2019-9618
published 2019-05-13CVE-2019-9618: The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.77%
98.5th percentile
The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gracemedia_media_player_project | gracemedia_media_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd↗
url{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd↗
- →The vulnerable parameter is 'cfg' in ajax_controller.php; monitor GET requests to this path containing directory traversal sequences (../../) in the cfg parameter value. ↗
- →Exploitation requires HTTP/1.0 protocol version; look for requests to ajax_controller.php using HTTP/1.0 with the ajaxAction=getIds&cfg= query string. ↗
- →Detection matcher: HTTP response status 200 or 500 combined with 'root:.*:0:0:' regex match in body confirms successful LFI exploitation of /etc/passwd. ↗
- ·No vendor fix is available; the plugin remains vulnerable at version 1.0. The recommended mitigation is to disable the plugin entirely. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pw77-5cwc-848f: The GraceMedia Media Player plugin 1
ghsa_unreviewed·2022-05-24
CVE-2019-9618 [CRITICAL] GHSA-pw77-5cwc-848f: The GraceMedia Media Player plugin 1
The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.
VulnCheck
gracemedia_media_player_project gracemedia_media_player Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2019·CVSS 9.8
CVE-2019-9618 [CRITICAL] gracemedia_media_player_project gracemedia_media_player Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
gracemedia_media_player_project gracemedia_media_player Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.
Affected: gracemedia_media_player_project gracemedia_media_player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2020/06/large-scale-attack-campaign-targets-database-credentials/
No detection rules found.
Exploit-DB
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
exploitdb·2019-03-13·CVSS 9.8
CVE-2019-9618 [CRITICAL] WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
---
MGC ALERT 2019-001
- Original release date: February 06, 2019
- Last revised: March 13, 2019
- Discovered by: Manuel García Cárdenas
- Severity: 7/10 (CVSS Base Score)
- CVE-ID: CVE-2019-9618
I. VULNERABILITY
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
II. BACKGROUND
Hassle-free and user-friendly way to add a Media player directly to your
website.
III. DESCRIPTION
This bug was found in the file:
/gracemedia-media-player/templates/files/ajax_controller.php
Vulnerable code:
require_once($_GET['cfg']);
The parameter "cfg" it is not sanitized allowing include local files
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
Nuclei
WordPress GraceMedia Media Player 1.0 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2019-9618 [CRITICAL] WordPress GraceMedia Media Player 1.0 - Local File Inclusion
WordPress GraceMedia Media Player 1.0 - Local File Inclusion
WordPress GraceMedia Media Player plugin 1.0 is susceptible to local file inclusion via the cfg parameter.
Template:
id: CVE-2019-9618
info:
name: WordPress GraceMedia Media Player 1.0 - Local File Inclusion
author: daffainfo
severity: critical
description: WordPress GraceMedia Media Player plugin 1.0 is susceptible to local file inclusion via the cfg parameter.
impact: |
Attackers can include arbitrary local files, potentially leading to information disclosure or code execution.
remediation: |
Update to the latest version of the plugin or apply security patches to sanitize the 'cfg' parameter.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
- https://seclists.org/fulldisclosure/2019/Mar/26
- https:/
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
CTF
Cyberlandsholdet 2020 / README
ctf_writeups·2020
Cyberlandsholdet 2020 / README
# Cyberlandsholdet 2020 writeup
Flags:
```
FE{e4ffcc2a0515040c02f457e90685e8fc}
FE{78615d67dd336381f0a08157566604ad}
FE{2811497ceda2e9ea133b4f4848e2032a}
FE{1ec08f5b6a4500f209c803f356710a83}
FE{213ab5f9892d8a6256025c4654a0eb27}
FE{30eb1cd6eba3d1f419874c1bf5f54735}
FE{c129f4ffc767854f35c765ffc133b15c}
FE{ecf104fe52e22f136140bd858673327d}
FE{7ac2f6e718cec874a4c261dced08d66e}
FE{3f6a382bfa845efcf24d6240e94695aa}
FE{1696e5c5147322335a68913385f8661a}
FE{f245cca305ecd78a9a6ce1508d15aa54}
FE{de00723e48115c830dd2ea18848a04da}
FE{droidvictory}
FE{afb67444f8cb19a96a4aa91aca15250d}
```
## Hacking-lab challenge
Start by going to https://cyberlandsholdet.dk/robots.txt
```conf
User-agent: *
Disallow: /level2/
Disallow: /absolutelynorobotsallowed/
# These robots are allowed
# ___T_ |---| )_( Y__ __
http://seclists.org/fulldisclosure/2019/Mar/26http://seclists.org/fulldisclosure/2019/Mar/32https://wordpress.org/plugins/gracemedia-media-player/#developershttps://wpvulndb.com/vulnerabilities/9234http://seclists.org/fulldisclosure/2019/Mar/26http://seclists.org/fulldisclosure/2019/Mar/32https://wordpress.org/plugins/gracemedia-media-player/#developershttps://wpvulndb.com/vulnerabilities/9234
2019-05-13
Published
Exploited in the wild