Local File Inclusion in Theme My Login 6.3.9 provides access to arbitrary files and could facilitate arbitrary code execution


Last revised:

Users able to edit posts are able to use a shortcode which is vulnerable to local file inclusion. This can allow an attacker read-only access to any non-PHP file, or the ability to execute arbitrary code if they can upload a PHP file.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 6.5 Medium
Vector Network
Complexity Low
Authentication Single
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Depending on the exact path to your WordPress installation, the following may or may not cause the contents of /etc/passwd to be displayed (adjust the path as necessary, based on your server configuration):

[theme-my-login login_template="../../../../../../../../../etc/passwd"]

Advisory timeline

  • 2014-06-10: Discovered
  • 2014-06-25: Reported to; contact information requested from author
  • 2014-06-26: Reported to author
  • 2014-06-27: Author reports fixed
  • 2014-06-30: Published

Mitigation/further actions

Upgrade to version 6.3.10 or later.

Please note that while the changelog for version 6.3.10 labels this as a potential vulnerability, this plugin is in fact categorically vulnerable as described above. Users of this plugin should not consider version 6.3.10 to be an optional or low-priority upgrade.