The document describes multiple vulnerabilities in the WordPress Social Discussions Plugin version 6.1.1, including a Remote File Inclusion (RFI) vulnerability due to uninitialized variables and Full Path Disclosure (FPD) via direct script access. The RFI requires specific PHP configurations, while the FPD relies on error messages.
Classification
Writeup 100%
Attack Type
Rce | Info Leak
Target:
WordPress Social Discussions Plugin 6.1.1
No auth needed
Prerequisites:
register_globals=on · register_long_arrays=off · allow_url_include=on for RFI · PHP < 5.3.4 for LFI null-byte attacks · magic_quotes_gpc=off for LFI null-byte attacks · display_errors=on for FPD