Description
main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.
Remediation
References
Related Vulnerabilities
WordPress Plugin Tutor LMS-eLearning and online course solution Cross-Site Scripting (1.9.11)
WordPress Plugin ApplyOnline-Application Form Builder and Manager Arbitrary File Disclosure (1.9.92)
WordPress Plugin WP-Curriculo Vitae Free Arbitrary File Upload (6.3)