SEO by SQUIRRLY™ [Path Traversal]


Plugin SEO by SQUIRRLY™ suffers from a Path Traversal vulnerability. Plugin allows anyone to request and download a file that is set as favicon. When requesting the file the optional parameter $_GET['sq_size'] can be used to traverse the path of the requested file, thus allowing an attacker to download arbitrary files from the server.

In order to exploit this vulnerability two conditions must be met:

  1. The value of option sq_use evaluates to true
  2. A favicon is set

By default none of those conditions are met. But after setting up the plugin in order to be of any use the user must activate it and this means that the value of (1) will change to 1, so the only non trivial condition is (2).


In this PoC we download the wp-config.php file, given that the favicon path rel to ABSPATH is wp-content/uploads/squirrly/favicon.png

curl ''