The Age Gate plugin for WordPress is a popular tool used by many websites that require visitors to be of a certain age before they can access certain content. Unfortunately, a recent discovery has found that this plugin contains a Local PHP File Inclusion (LFI) vulnerability in all versions up to and including 3.5.3. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing for potential bypassing of access controls, obtaining sensitive data, or achieving code execution where images and other ostensibly safe file types can be uploaded and included.

This post will provide an in-depth analysis of this vulnerability, CVE-2025-2505, along with code snippets, exploitation details, and links to original references. It aims to increase awareness of this issue and help website administrators who use the Age Gate plugin to better understand the potential risks of this vulnerability.

The vulnerability lies in the implementation of the 'lang' parameter, which is used to allow users to switch between different language versions of the Age Gate plugin. The following code snippet, found in the file age-gate-ajax.php, demonstrates how the 'lang' parameter is handled improperly:

$lang = isset($_GET['lang']) ? $_GET['lang'] : 'en';
require_once(AGE_GATE_DIR . 'language/' . $lang . '.php');

As seen, the 'lang' parameter is directly appended to the path of the PHP file that is included. This opens up a vulnerability to Local PHP File Inclusion attacks, as an attacker can supply a crafted 'lang' parameter, such as '../../../malicious_file', to include and execute a malicious PHP file on the server.

* WordPress Age Gate Plugin Vulnerability - Exploit Database
* WordPress Age Gate 1.4.1 - Local File Inclusion - Exploit Database

Exploit Details

To exploit this vulnerability, an attacker must first upload a malicious PHP file to the server. This can often be done using features like profile picture uploads, which allow uploading of image files. An attacker can create a fake image file with embedded PHP code to bypass validation checks. An example of such a malicious file could contain the following PHP code:

GIF89a phpinfo(); ?>

Once the malicious file is uploaded to the server, the attacker can then make a GET request to the following URL, replacing [WEBSITE_URL] with the target website's URL, [FILE_PATH] with the path to the uploaded malicious file, and [FILE_EXTENSION] with the file extension (e.g., 'jpg'):

https://[WEBSITE_URL]/wp-content/plugins/age-gate/language/age-gate-ajax.php?lang=../../../[FILE_PATH]/malicious_file.[FILE_EXTENSION]%00

By successfully exploiting the vulnerability, the attacker can bypass age restrictions, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Conclusion

The discovery of this Local PHP File Inclusion vulnerability in the Age Gate plugin for WordPress highlights the importance of regularly auditing and updating plugins to ensure that security vulnerabilities are addressed. In this case, it is crucial that site administrators using the Age Gate plugin update to the latest version to mitigate the risk of attackers exploiting this vulnerability.

In addition to keeping plugins updated, it is also essential to follow security best practices, such as regularly scanning for and addressing vulnerabilities, limiting access privileges to sensitive data, and implementing proper input validation techniques to protect against attacks. By taking these steps, website administrators can help to protect their sites and their users from potential harm caused by security vulnerabilities in their plugins and other server components.

Timeline

Published on: 03/20/2025 08:15:11 UTC