Key Vulnerability Information EDB-ID: 44340 CVE: 2018-7422 Author: Nicolas Buzy-Debat Type: WEBAPPS Platform: PHP Date: 2018-03-23 Vulnerable App: Site Editor Wordpress Plugin 1.1.1 Vulnerability: Local File Inclusion CVE Description A Local File Inclusion vulnerability in the Site Editor plugin through version 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the parameter in . Technical Details The value of the parameter is used to include a file via PHP’s . This parameter is controllable by an attacker and is not properly sanitized. Proof of Concept Solution No fix available yet. Timeline 03/01/2018: Author contacted via siteeditor.org's contact form; no response 16/01/2018: Issue report filed on the public GitHub page without technical details 18/01/2018: Author responds, claiming he had replied to the email 8 days prior (no such email found); author sends another email 19/01/2018: Report sent; author states he will fix the issue "very soon" 31/01/2018: Vendor contacted to inquire about an estimated release date and whether disclosure should be delayed; no response 14/02/2018: WP Plugins team contacted; no response 06/03/2018: Vendor contacted; no response 07/03/2018: Vendor contacted; no response 15/03/2018: Public disclosure Credits Vulnerability discovered by Nicolas Buzy-Debat, working at Orange Cyberdefense Singapore (CERT-LEXSI).