CVE-2019-9618

CRITICAL EXPLOITED NUCLEI

WordPress Media Player 1.0 - Local File Inclusion

Title source: llm

Exploitation Summary

CVE-2019-9618 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Manuel García Cárdenas. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a vulnerability writeup for CVE-2019-9618, detailing a Local File Inclusion (LFI) vulnerability in the WordPress plugin GraceMedia Media Player 1.0. The vulnerability arises from unsanitized user input in the 'cfg' parameter, allowing attackers to include local files via path traversal.

Description

The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.

Exploits (1)

exploitdb WRITEUP

by Manuel García Cárdenas · textwebappsphp

https://www.exploit-db.com/exploits/46537

View Code ZIP pw:eip

This is a vulnerability writeup for CVE-2019-9618, detailing a Local File Inclusion (LFI) vulnerability in the WordPress plugin GraceMedia Media Player 1.0. The vulnerability arises from unsanitized user input in the 'cfg' parameter, allowing attackers to include local files via path traversal.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: GraceMedia Media Player <= 1.0

No auth needed

Prerequisites: WordPress with GraceMedia Media Player plugin version 1.0 installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress GraceMedia Media Player 1.0 - Local File Inclusion

CRITICALby daffainfo

References (4)

Core 4

Core References

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/Mar/32

Release Notes, Third Party Advisory x_refsource_misc

https://wordpress.org/plugins/gracemedia-media-player/#developers

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/Mar/26

Third Party Advisory x_refsource_misc

https://wpvulndb.com/vulnerabilities/9234

Scores

CVSS v3 9.8

EPSS 0.4077

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-06-03

CWE

CWE-22

Status published

Products (1)

gracemedia_media_player_project/gracemedia_media_player 1.0

Published May 13, 2019

Tracked Since Feb 18, 2026