QwikSec

Security Database

CVE

CWE

Training

CVE-2015-8351

Published: Sep 11, 2017

Modified: Aug 6, 2024

PUBLISHED

Description

PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://wordpress.org/plugins/gwolle-gb/changelog/

x_refsource_CONFIRM

https://www.htbridge.com/advisory/HTB23275

x_refsource_MISC

exploit

x_refsource_EXPLOIT-DB

20151202 Remote File Inclusion in Gwolle Guestbook WordPress Plugin

mailing-list

x_refsource_BUGTRAQ

http://packetstormsecurity.com/files/134599/WordPress-Gwolle-Guestbook-1.5.3-Remote-File-Inclusion.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.