• WordPress Plugin Spicy Blogroll is prone to a local file include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process; this may aid in launching further attacks. WordPress Plugin Spicy Blogroll version 1.0.0 is vulnerable; other versions may also be affected.

• Edit the source code to ensure that input is properly sanitised or disable the plugin until a fix is available

• • https://www.exploit-db.com/exploits/26804/
  • http://1337day.com/exploit/20994
  • http://packetstormsecurity.com/files/122396/WordPress-Spicy-Blogroll-Local-File-Inclusion.html
  • http://www.securityfocus.com/bid/61162/

• 

• CWE-22

• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

• Missing Update File Inclusion

• WordPress Plugin User Control SQL Injection (2.1.0)
• WordPress Plugin PIKLIST-Rapid development framework Cross-Site Scripting (0.9.4.25)
• WordPress Plugin Users Ultra Membership Multiple Vulnerabilities (1.5.62)
• WordPress Plugin Jetpack by WordPress.com Cross-Site Scripting (6.4.2)
• WordPress Plugin WP Custom Pages 'url' Parameter Local File Disclosure (0.5.0.1)