CVE-2019-9618 – CVE-2019-9618 is a Local File Inclusion vulnera... (How to Fix)

Q: What is the severity of CVE-2019-9618?

CVE-2019-9618 has a CVSS score of 9.8 (CRITICAL). CVE-2019-9618 is a Local File Inclusion vulnerability in the GraceMedia Media Player WordPress plugin that allows attackers to read arbitrary files on the server via the 'cfg' parameter. This affects WordPress sites running version 1.0 of the plugin. Attackers can potentially access sensitive files like configuration files, password files, or source code.

📋 TL;DR

CVE-2019-9618 is a Local File Inclusion vulnerability in the GraceMedia Media Player WordPress plugin that allows attackers to read arbitrary files on the server via the 'cfg' parameter. This affects WordPress sites running version 1.0 of the plugin. Attackers can potentially access sensitive files like configuration files, password files, or source code.

💻 Affected Systems

Products:

GraceMedia Media Player WordPress Plugin

Versions: Version 1.0 only

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the GraceMedia Media Player plugin version 1.0 installed and activated.

📦 What is this software?

Gracemedia Media Player by Gracemedia Media Player Project

View all CVEs affecting Gracemedia Media Player →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through reading sensitive configuration files (like wp-config.php containing database credentials), followed by database access, privilege escalation, or remote code execution.

🟠

Likely Case

Information disclosure of sensitive files, potentially leading to credential theft, site defacement, or further exploitation.

🟢

If Mitigated

Limited impact with proper file permissions and web server configuration restricting access to sensitive directories.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal WordPress sites could still be exploited by internal attackers or through compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward via crafted HTTP requests to the vulnerable parameter. Multiple public disclosures include proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.1 or later

Vendor Advisory: https://wordpress.org/plugins/gracemedia-media-player/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'GraceMedia Media Player'. 4. Click 'Update Now' if available, or delete and install latest version from WordPress repository.

🔧 Temporary Workarounds

Disable or Remove Plugin

all

Temporarily disable or completely remove the vulnerable plugin until patched.

wp plugin deactivate gracemedia-media-player
wp plugin delete gracemedia-media-player

Web Application Firewall Rule

linux

Block requests containing malicious 'cfg' parameter patterns.

ModSecurity rule: SecRule ARGS:cfg "@rx \.\." "id:1001,phase:2,deny,status:403,msg:'CVE-2019-9618 LFI attempt'"

🧯 If You Can't Patch

Implement strict file permissions (e.g., 644 for files, 755 for directories) and disable directory listing in web server configuration.
Deploy a web application firewall (WAF) with rules to block Local File Inclusion patterns and monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for 'GraceMedia Media Player' version 1.0.

Check Version:

wp plugin get gracemedia-media-player --field=version

Verify Fix Applied:

Verify plugin version is 1.1 or later in WordPress admin, or test with controlled LFI payload (e.g., attempt to read /etc/passwd via cfg parameter).

📡 Detection & Monitoring

Log Indicators:

HTTP requests with 'cfg' parameter containing path traversal sequences (../, ..\)
Access to sensitive files like /etc/passwd, wp-config.php from web logs

Network Indicators:

Unusual GET/POST requests to plugin endpoints with file paths in parameters

SIEM Query:

web_access_logs WHERE url CONTAINS 'cfg' AND (url CONTAINS '../' OR url CONTAINS '..\\' OR url CONTAINS '/etc/' OR url CONTAINS 'wp-config')

📊 Metadata

CVE ID: CVE-2019-9618

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: May 13, 2019

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2019/Mar/26 Exploit,Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2019/Mar/32 Mailing List,Third Party Advisory
https://wordpress.org/plugins/gracemedia-media-player/#developers Release Notes,Third Party Advisory
https://wpvulndb.com/vulnerabilities/9234
http://seclists.org/fulldisclosure/2019/Mar/26 Exploit,Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2019/Mar/32 Mailing List,Third Party Advisory
https://wordpress.org/plugins/gracemedia-media-player/#developers Release Notes,Third Party Advisory
https://wpvulndb.com/vulnerabilities/9234

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9618, you might also want to check these: