CVE-2018-9118 — AI Deep Analysis Summary

🚨 **Essence**: Directory Traversal in `exports/download.php`. 📉 **Consequences**: Attackers can read arbitrary files on the server, potentially exposing sensitive config or source code.

🛡️ **CWE**: Path Traversal (Implicit). 🐛 **Flaw**: The plugin fails to sanitize user input in the `fil` parameter, allowing `../` sequences to escape the intended directory.

📦 **Product**: WordPress Plugin: '99 Robots WP Background Takeover Advertisements'. 📅 **Affected**: Versions **prior to 4.1.5** (specifically confirmed in 4.1.4).

💀 **Action**: Local File Inclusion (LFI). 📂 **Data**: Can read sensitive server files (e.g., `wp-config.php`, logs). ⚠️ **Privilege**: Depends on web server user rights, but can lead to full site compromise.

⚡ **Threshold**: **LOW**. 🌐 **Auth**: Likely requires no authentication or low-privilege access to the plugin's export function. 🎯 **Config**: Direct URL access to `exports/download.php` is sufficient.

🔓 **Exploit**: **YES**. 📜 **Source**: Exploit-DB #44417. 🧪 **PoC**: Available via ProjectDiscovery Nuclei templates. 🌍 **Wild Exploit**: High risk due to simplicity.

🔍 **Check**: Scan for `exports/download.php` endpoint. 📡 **Tool**: Use Nuclei or Wappalyzer to detect the specific plugin version. 🧪 **Test**: Inject `../` in the `fil` parameter to test for file leakage.

🩹 **Fix**: **YES**. 📥 **Action**: Update the plugin to **version 4.1.5** or later. ✅ **Official**: Confirmed by vendor documentation links.

🚧 **Workaround**: Disable the plugin if not needed. 🛑 **Block**: Restrict access to `exports/download.php` via WAF rules or `.htaccess`. 🧹 **Remove**: Delete the plugin directory if unused.

🔥 **Priority**: **HIGH**. 📅 **Date**: Published 2018-04-12. ⚠️ **Risk**: Simple LFI can lead to RCE. 🚀 **Action**: Patch immediately if running vulnerable versions.