Local File Inclusion vulnerability in WordPress Dropbox Folder Share Plugin

A Local File Inclusion vulnerability has been identified in the WordPress Dropbox Folder Share Plugin. This vulnerability could allow a malicious actor to include local files of the target website and show its output onto the screen. Files that store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration.

This vulnerability was discovered and responsibly reported by Marco Wotschka.

The vulnerability is a Local File Inclusion vulnerability that occurs in the dropbox-folder-share.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to include local files of the website.

The vendor has not yet released a patched version of the plugin. Users are advised to uninstall the plugin until a patched version is released.

Severity:

The vulnerability has a CVSS 3.1 score of 9.8, which is considered to be critical. This means that the vulnerability is very likely to be exploited and could have a severe impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Dropbox Folder Share Plugin.

Impact:

An attacker who successfully exploits this vulnerability could:

Include local files of the target website and show its output onto the screen.
Access sensitive files on the website, such as database credentials, configuration files, and user data.
Execute arbitrary PHP code on the website.
Take full control of the website.

Recommendation:

Users of the Dropbox Folder Share Plugin are strongly advised to take the following action for the website’s defenses:

Disable the Plugin: In the absence of a patched version, consider disabling the Dropbox Folder Share Plugin until a security fix is provided. This can help mitigate the potential risks associated with the vulnerability.
Enhance Security Measures: Strengthen the website’s security measures by implementing robust authentication protocols, access controls, and regular security audits. This proactive approach is essential to thwart potential exploitation attempts.

Local File Inclusion vulnerability in WordPress Dropbox Folder Share Plugin

Severity:

Affected Versions:

Impact:

Recommendation:

Related Articles

Remote Code Execution (RCE) vulnerability in WordPress Allow PHP in Posts and Pages Plugin

Cross-Site Scripting (XSS) vulnerability in WordPress Grid Plus Plugin

Cross-Site Scripting (XSS) vulnerability in WordPress PeproDev CF7 Database Plugin

SQL Injection vulnerability in WordPress Horizontal Scrolling Announcement Plugin

Mitigating High-Severity XSS Vulnerability in WooCommerce Ship to Multiple Addresses Plugin

Arbitrary File Upload vulnerability in WordPress Forminator Plugin

Categories

Latest Blog Updates

Unmasking a Persistent Malware Attack on a WordPress Website

Investigating and Resolving High CPU Usage in WordPress Due to Malicious Crawlers

Unmasking a Hidden Malware Attack Targeting Users from Search Results

Critical Broken Access Control Vulnerability in WP Travel Plugin

Critical Broken Access Control Vulnerability in WooODT Lite Plugin

Critical Local File Inclusion Vulnerability in HTML filter and csv-file search Plugin

Critical Remote Code Execution Vulnerability in PHP to Page Plugin