cbcvebase.
CVE-2019-9618
published 2019-05-13

CVE-2019-9618: The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.77%
98.5th percentile
The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
gracemedia_media_player_projectgracemedia_media_player

Detection & IOCsextracted from sources · hover to see the quote

path/gracemedia-media-player/templates/files/ajax_controller.php
url/wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd
url{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd
  • The vulnerable parameter is 'cfg' in ajax_controller.php; monitor GET requests to this path containing directory traversal sequences (../../) in the cfg parameter value.
  • Exploitation requires HTTP/1.0 protocol version; look for requests to ajax_controller.php using HTTP/1.0 with the ajaxAction=getIds&cfg= query string.
  • Detection matcher: HTTP response status 200 or 500 combined with 'root:.*:0:0:' regex match in body confirms successful LFI exploitation of /etc/passwd.
  • ·No vendor fix is available; the plugin remains vulnerable at version 1.0. The recommended mitigation is to disable the plugin entirely.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.