Description
WordPress Plugin Spicy Blogroll is prone to a local file include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process; this may aid in launching further attacks. WordPress Plugin Spicy Blogroll version 1.0.0 is vulnerable; other versions may also be affected.
Remediation
Edit the source code to ensure that input is properly sanitised or disable the plugin until a fix is available
References
https://www.exploit-db.com/exploits/26804/
http://1337day.com/exploit/20994
http://packetstormsecurity.com/files/122396/WordPress-Spicy-Blogroll-Local-File-Inclusion.html
Related Vulnerabilities
WordPress Plugin YITH WooCommerce Waiting List Security Bypass (1.3.9)
WordPress Plugin MailPoet Newsletters (Previous) Security Bypass (2.8.1)
WordPress Plugin FV Flowplayer Video Player SQL Injection (7.3.18.727)
WordPress Plugin Newsletter Open Redirect (3.7.0)
WordPress Plugin Photo Gallery by 10Web-Mobile-Friendly Image Gallery Directory Traversal (1.3.42)