• WordPress Plugin Simple Fields is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin Simple Fields version 0.3.5 is vulnerable; prior versions are also affected.

• Update to plugin version 0.3.6 or latest

• • https://www.exploit-db.com/exploits/44425/
  • https://packetstormsecurity.com/files/147102/WordPress-Simple-Fields-0.3.5-File-Inclusion-Remote-Code-Execution.html
  • https://plugins.svn.wordpress.org/simple-fields/trunk/readme.txt

• 

• CWE-22

• Missing Update File Inclusion

• WordPress Plugin Catchers Helpdesk and Ticket system for Support Cross-Site Scripting (1.0.3)
• WordPress Plugin Hide My WP Cross-Site Scripting (4.53)
• WordPress Plugin LearnDash LMS Arbitrary File Upload (2.5.3)
• WordPress Plugin YITH WooCommerce Wishlist SQL Injection (2.1.2)
• WordPress Plugin Advanced Page Manager Cross-Site Scripting (1.4.1)