WordPress – KenBurner Slider Local File Inclusion (LFI)

Description

Cytrix has detected that you’re using a Responsive KenBurner Slider WordPress Plugin.
This local file inclusion (LFI) vulnerability appeared due to a failure to properly sanitize user-supplied inputs to the ‘img’ parameter of the ‘image_view.class.php’ script.

By exploiting this vulnerability, attackers can download any file they please, even your wp-config.php file.
By doing so, he can steal the database’s credentials, which then allows him to initiate attacks against the website via the database.

Severity/Score

Average Score – 5.0 Medium

Recommendation

To deal with it, upgrade this vulnerable KenBurner Slider WordPress Plugin to version 1.8, which is the version that this vulnerability got fixed.

References

https://arbitrary321.rssing.com/chan-37141670/latest.php
https://cwe.mitre.org/data/definitions/22.html