wp-plugin : cross-rss – Local File Inclusion


Plugin Details


Plugin Name : cross-rss


Effected Version : 1.7 (and most probably lower version's if any)

Vulnerability : Local File Inclusion
Identified by : Anant Shrivastava



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :



Vulnerable Parameter : rss


Disclosure Timeline


Vendor Contacted : 2014-02-19

Plugin Status : Closed
Public Disclosure : May 29, 2014
CVE Number : CVE-2014-4941

Plugin Description :
IP file, place folder cross-rss with all files to wp-content/plugins dir. Go to WordPress Admin Plugins sections and activate Cross-RSS 0.5 plugin
Set chmod 777 to wp-content/plugins/cross-rss/cache (make writable by webserver scripts)
Set chmod 666 to wp-content/plugins/cross-rss/proxy.log (make writable by webserver scripts)

When create page or blog just place line: [crossrss url=http://example.com/file.rss /] Where http://example.com/file.rss is a full URL to RSS you want to view on your WordPress page

Leave a Reply

Your email address will not be published. Required fields are marked *