Description

WordPress Plugin WP Custom Pages is prone to a local file disclosure vulnerability because it fails to adequately validate user-supplied input. Exploiting this vulnerability may allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. WordPress Plugin WP Custom Pages versions 0.5.0.1 and prior are vulnerable.

Remediation

Edit the source code to ensure that input is properly sanitised or disable the plugin until a fix is available

References

http://www.securityfocus.com/bid/47146/exploit

http://www.autosectools.com/Advisories/WordPress.WP.Custom.Pages.0.5.0.1_Local.File.Inclusion_169.html

http://www.exploit-db.com/exploits/17119/

http://packetstormsecurity.com/files/view/100047/WordPressWPCustomPages0.5.0.1-lfi.txt

http://secunia.com/advisories/43963/

Related Vulnerabilities

Serendipity Other Vulnerability (CVE-2005-1450)

Squid Improper Input Validation Vulnerability (CVE-2013-1839)

WordPress Plugin ReviewX-Multi-criteria Rating & Reviews for WooCommerce CSV Injection (1.6.7)

WordPress Plugin YITH WooCommerce Questions and Answers Security Bypass (1.1.9)

WordPress Plugin WordPress Backup and Migrate-Backup Guard Cross-Site Request Forgery (1.1.90)

Severity

High

Classification

CVE-2011-1669 CWE-22 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Information Disclosure