Simple Fields WordPress Plugin Local File Inclusion Vulnerability Allowing Arbitrary File Read and Potential Remote Code Execution

A local file inclusion vulnerability has been identified in the Simple Fields WordPress plugin, affecting versions 0.2 through 0.3.5. This vulnerability allows unauthenticated attackers to read arbitrary files by injecting null bytes into the wp_abspath parameter. The issue arises in PHP versions prior to 5.3.4, where the null byte injection can be used to manipulate file inclusion behavior. Exploitation could lead to reading sensitive files like /etc/passwd or, under certain conditions, injecting PHP code into Apache logs for remote code execution, especially if allow_url_include is enabled.

Impact

Exploitation of this vulnerability could lead to unauthorized file access and, in some cases, remote code execution on the server.

Reproduction

To reproduce this vulnerability, send a request to the 'simple_fields.php' file within the 'wp-content/plugins/simple-fields/' directory. Include a crafted 'wp_abspath' parameter that injects a null byte after a file path, such as '/etc/passwd'. If the 'allow_url_include' directive is enabled, PHP code can be injected and executed remotely by targeting a file that is included by the server, such as the Apache access log.

Remediation

Users are advised to update the Simple Fields WordPress plugin to version 0.3.6 or later. Additionally, upgrading PHP to version 5.3.4 or later is recommended.