Description
WordPress Plugin Child Theme Configurator is prone to an arbitrary file disclosure vulnerability because it fails to properly verify user-supplied input. An attacker can exploit this vulnerability to view local files (eg. server configuration) in the context of the web server process, which may aid in launching further attacks. WordPress Plugin Child Theme Configurator version 1.7.4 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 1.7.4.1 or latest
References
https://groups.google.com/forum/#!msg/minify/cpN-ncKPFZE/kwYVpLMkfDwJ
https://rdot.org/forum/showthread.php?t=2807
https://wordpress.org/plugins/child-theme-configurator/changelog/
Related Vulnerabilities
MySQL CVE-2019-2532 Vulnerability (CVE-2019-2532)
WordPress Plugin Web Stories Server-Side Request Forgery (1.24.0)
MySQL CVE-2020-2589 Vulnerability (CVE-2020-2589)
Artifactory Insufficient Verification of Data Authenticity Vulnerability (CVE-2018-19971)
Liferay DXP Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2021-33320)