WordPress Theme Tuner Plugin 'tt-abspath' Parameter Remote File Inclusion Vulnerability Network Vulnerability

Summary

This host is running WordPress and is prone to remote file inclusion vulnerability.

Impact

Successful exploitation will allow attacker to compromise the application and the underlying system other attacks are also possible. Impact Level: System/Application

Solution

Upgrade to WordPress Theme Tuner Plugin version 0.8 or later. For updates refer to http://wordpress.org/extend/plugins/theme-tuner/

Insight

The flaw is due to improper validation of user-supplied input to the 'tt-abspath' parameter in '/ajax/savetag.php', which allows attackers to execute arbitrary PHP code.

Affected

WordPress Theme Tuner Plugin version 0.7 and prior

References

http://osvdb.org/show/osvdb/78457
http://secunia.com/advisories/47722
http://spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos
http://wordpress.org/extend/plugins/theme-tuner/changelog
http://xforce.iss.net/xforce/xfdb/72626

Updated on 2017-03-28

Severity

Classification

CVE CVE-2012-0934
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

b2Evolution title SQL Injection
4Images <= 1.7.1 Directory Traversal Vulnerability
Arkeia Appliance Multiple Vulnerabilities
Acute Control Panel SQL Injection Vulnerability and Remote File Include Vulnerability
Apache Tomcat Windows Installer Privilege Escalation Vulnerability

Take action and discover your vulnerabilities