Description
Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php.
Remediation
References
Related Vulnerabilities
WordPress Plugin All-In-One Security (AIOS)-Security and Firewall Directory Traversal (5.1.4)
WordPress Plugin WP Doctor Potential Malicious Code (1.7)
WordPress Plugin Easy Registration Forms Unspecified Vulnerability (1.8.4)
WordPress Plugin Ivory Search-WordPress Search Cross-Site Scripting (4.6)
PostgreSQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-3278)