WordPress Remote & Local File Inclusion Vulnerability Exploit

Remote & Local File Inclusion Exploit In WordPress

WordPress Local File Inclusion Vulnerability

The intent of this post is to help penetration testers to identify and test Remote File Inclusion (RFI) & Local File Inclusion (LFI) vulnerabilities in WordPress and helping future pentesting testing by consolidating research. LFI vulnerabilities are typically discovered during web application pen testing using the LFI exploit testing techniques listed in this document. Check out our huge list of wordpress vulnerability scanner tools.

What is a Local File Inclusion (LFI) vulnerability?

Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser. This vulnerability exists when a web application includes a file without properly sanitizing the input, allowing an attacker to manipulate the input and inject jump characters from the path and include other files from the webserver.

Basically, Local File Inclusion Vulnerability in wordpress is due to improper sanitization of ajax path parameter in requests to ajax shortcode pattern. php script. By exploiting this vulnerability, a remote, unauthenticated attacker could retrieve arbitrary files from the target server.

The following is an example of a PHP code vulnerable to local file inclusion.

<? Php 

   $ file = $ _GET ['file']; 

   if (isset ($ file)) 


       include ("pages / $ file"); 




       include ("index.php"); 



 Remote File Inclusion

By using remote file inclusion, an attacker includes a remote file in a web application. This type of attack is possible for web applications that include external files or scripts dynamically. Include attacks of this type generally occur when an application receives, through one of its paths, a file. If this path is not “sanitized” correctly, the possibility of intrusion opens. This grants the attacker access to provide an external URL to the include function.

There are several consequences of a successful RFI attack. These range from confidential information disclosure and cross-site scripting (XSS) theft; to remote code execution that can completely alter the functionality of our applications. An attacker could, for example, use an embedded PHP script.

Through this script, you could make HTTP requests to fool the affected applications. In this way, you can get applications to run malicious code on the server side without knowing that it is malware.

The danger of this type of files can even reach the theft of privileges. If a malicious file is included, it can be run with the privileges of the user running the web application. That allows an attacker to execute whatever code he wants; either on the web server or within the application. They can even maintain their presence on the web server without being detected.

Also ReadOver A Million WP Sites Hacked in Widespread Attacks – (News)

Local File Inclusion

Local file inclusion is very similar to remote file inclusion. However, such an attacker can only include local files (not remote files as in the case of RFI). An attacker can use these types of include attacks to fool the web application. This way you will be able to get files to be exposed or executed on the server. You can also get the disclosure of confidential information; remote code execution or even cross-site scripting (XSS).

Typically, this kind of attack occurs when an application uses the path to a file as input. If the application adopts this input as trusted, a local file can be used in the include statement of the application. In this way, the application could be tricked into running a PHP script, such as a web shell. But it would be one embedded by the attacker, which would then be uploaded to the web server.

Also ReadHow to remove WP-VCD malware in WordPress


  • WordPress Plugin Site Editor 1.1.1 – Local File Inclusion – PHP Exploit – (source)
Product: Site Editor WordPress Plugin - https://wordpress.org/plugins/site-editor/
Vendor: Site Editor
Tested version: 1.1.1
CVE ID: CVE-2018-7422

** CVE description **
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php.
  • Path Traversal and Local File Inclusion vulnerability lead to Remote Code Execution in the WordPress core (CVE-2019-8943). – Ripstech



  • WordPress Localize My Post plugin version 1.0 suffers from a local file inclusion vulnerability. – packetstrom

Attack Detection

Let’s say the file uploaded by the attacker is included and executed by the user running the web application. This would allow an attacker to run any malicious server-side code they want. But this is the worst case, an extreme situation. An attacker does not always have the ability to load a malicious file into the application. Even if it did, there is no guarantee that it will work.

The file could be discovered, or the application could save the file to another server where the LFI vulnerability exists. Even then, the attacker would still need to know the path from the disk to the uploaded file in order to execute it.

Also Read WordPress Privilege Escalation Vulnerability Contact Form

Identifying Local File Inclusion Vulnerability in Web applications

LFI vulnerabilities are easy to identify and exploit. Any script that includes a file from a web server is a good candidate for additional LFI testing, for example:


A penetration tester could try to exploit this vulnerability by manipulating the file location parameter, such as:


The above is an effort to display the contents of the / etc / passwd file on a UNIX / Linux based system.

Below is an example of a successful Local File Inclusion exploit in a web application:

 Remote File Inclusion (RFI) and Local File Inclusion

PHP wrappers

PHP has a number of wrappers that can often be misused to bypass various input filters.

PHP   expect: // allows the execution of system commands, unfortunately the PHP wait module is not enabled by default.

php? page = wait: // LS

The payload is sent in a POST request to the server, such as:

? / Fi / page = php: // input and CMD = ls

Example using php: // input against DVWA:

Also ReadConvert Plus WordPress Plugin Vulnerability Exploit

PHP Zip Envelope

The zip wrapper processes uploaded .zip file server-side that allows a penetration test to upload a zip file using a vulnerable file upload feature and leverage that zip through an LFI filter to run. A typical attack example would look like this:


  • Create a PHP reverse shell
  • Compress to a .zip file
  • Upload compressed shell payload to server
  • Use the postal container to extract the payload using:? Php? Page = zip: //path/to/file.zip%23shell
  • The above extract the zip file to shell, if the server does not add .php rename it instead shell.php

If the file upload feature does not allow zip files to be uploaded, you can try bypassing the file upload feature (see: OWASP file upload test document).

LFI via / proc / self / environ

If it is possible to include/proc / self / environ through a local file include vulnerability, then entering the source code through the user-agent header is a possible vector. Once the code has been injected into the header user agent a local file includes vulnerability can be exploited to run/proc / self / environ and reload the environment variables, running your shell in reverse.

Also ReadZero-day Vulnerability Exploit in WordPress Plugin

Useful shells

Tiny PHP back doors useful for the above techniques:

<? system (‘uname -a’);?>

Null Technique Byte

Null Byte Injection bypasses application filtering within web applications by adding URL encoded “null bytes” such as 00%. Typically, this bypasses basic web application blacklist filters by adding additional null characters that are then allowed or not processed by the secondary web application.

Some practical examples of null byte injection for LFI:

vuln.php? page = / etc / passwd% 00

vuln.php? page = / etc / passwd% 2500

The LFI shunt truncation

Truncation is another blacklist bypass technique. By injecting the length parameter into the vulnerable file include mechanism, the web application can “cut off” (truncate) the input parameter, which can bypass the input filter.

Also ReadWordPress REST API Vulnerability Content Injection Exploit

Contamination of the log file

Log file contamination is the process of injecting source code into log files on the target system. This is accomplished by introducing source code through other exposed services on the target system, which the target operating system/service will store in log files. For example, reverse PHP shell code injection into a URL, causing syslog to create an entry in the Apache access log for a 404 page of input not found. The Apache log file would then be parsed using a previously discovered file inclusion vulnerability, running the injected reverse PHP shell.

After the introduction of source code for the target systems file (s) the next stage is the identification of the location of the log log file. During the recognition and discovery stage of the webserver penetration testing and it is likely that the target operating system would have been identified, a good starting point would be to look up the default registry paths for the identified operating system and server. Web (if not already known to the consultant). FuzzDB’s LFI Burp payload lists can be used in conjunction with Intruder Burp to quickly identify the locations of valid log files on the target system.

Some commonly exposed services on a Linux / UNIX system are listed below:

Apache / Nginx

Inject code into the webserver access or error logs using Netcat, after successful injection analyze the location of the server log file by exploiting the previously discovered LFI vulnerability. If the webserver access/error logs are long, it may take some time to run your injected code.

Also ReadMalicious Code Injection WordPress Hack

Send to a reverse shell

If the mail destination machine relays either directly or through another computer on the network and stores mail for the www-user data (or Apache user) on the system, then it is possible to email a shell reverse to the bullseye. If there are no MX records for the SMTP domain, but it is exposed that it is possible to connect to the destination mail server and send mail to the www-data Apache user.

Mail is sent to the user running Apache such as www-data to secure file system permissions that will allow read access to the / var / spool / mail / www-data file containing the injected PHP reverse shellcode.

Also ReadWordPress Arbitrary File Deletion Vulnerability Exploit

How to prevent Local File Inclusion?

It’s easy to check if your web site or application is vulnerable to LFI. By running an automated scan using our scanner, you will get an accurate answer. This is because this scanner includes a specialized module for Local File Inclusions, which ensures its detection.

Cross-site scripting attacks

Cross-site Scripting (XSS) is an inclusion attack similar to LFI or RFI. However, XSS attack occurs on the client-side. The aim of these attacks is to execute malicious scripts in the victim’s web browser. In WordPress, This is accomplished by embedding malicious code or malware on wordpress website. However, the actual attack occurs when the victim visits the web page or application that executes the malicious code.

This class includes attacks that turns the page or application into a vehicle for delivering the malicious script. This inclusion occurs in the browser of whoever accesses these services. The most common vehicles for cross-site scripting attacks are forums, message boards, and comment web pages.

To better XSS protection, you must sanitize your gateway services. This is achieved by preventing your application code from generating data received as input directly to the browser without checking for malicious code.

If you are interested in receiving more information about WP Hacked Help and its WordPress malware removal service, do not hesitate to contact us. At here we offer the best in the market and we put at your disposal a team of professionals willing to advise and accompany you on your way to a more efficient and secure IT environment.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)