Security for everyone

CVE-2018-20463 Scanner

Detects 'Local File Inclusion (LFI)' vulnerability in JSmol2WP plugin for WordPress affects v. 1.07.

SCAN NOW

Short Info


Level

High

Type

Single Scan

Can be used by

Asset Owner

Estimated Time

10 sec

Scan only one

Url

Parent Category

CVE-2018-20463 Scanner Detail

The JSmol2WP plugin 1.07 for WordPress is a tool designed to enhance website visitors' experience by providing an interactive way to visualize chemical structures and molecular information. This plugin enables website owners to integrate JSmol, a free and open-source web-based viewer for chemical structures, into their WordPress websites. By doing so, visitors can rotate, zoom, and manipulate the 3D models of molecules, making the learning process more engaging and informative.

Unfortunately, the usage of JSmol2WP plugin 1.07 for WordPress has been jeopardized by the CVE-2018-20463 vulnerability. This vulnerability allows an attacker to read arbitrary files on the server by navigating up from the directory root, also known as directory traversal. The issue resides in the jsmol.php file of the plugin, where the "query" parameter is not properly sanitized. As a result, an attacker can craft a query string containing "../" sequences to access files outside the intended directory.

The exploitation of this vulnerability can lead to a range of severe consequences, depending on the file that the attacker gains access to. For instance, if the attacker gains access to the website's configuration file, they can retrieve sensitive information such as login credentials and database credentials. Moreover, the attacker can use this vulnerability for Server-Side Request Forgery (SSRF), which enables them to make HTTP requests from the server and launch further attacks against external resources.

In summary, the JSmol2WP plugin 1.07 for WordPress has a serious vulnerability that allows attackers to read arbitrary files on the server. This vulnerability can have significant consequences, including data theft and SSRF. To protect against this vulnerability, website owners should implement several measures such as updating the plugin and hardening the server's security. By using the pro features of the securityforeveryone.com platform, users can easily and quickly learn about vulnerabilities in their digital assets and stay informed about potential threats.

 

REFERENCES

cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.
Try it yourself,
control security posture