WordPress Plugin Vulnerabilities

WP Rocket <= 2.10.3 - Local File Inclusion (LFI)

Description

Requires older versions of PHP that are vulnerable to null byte injection.

Affects Plugins

Plugin icon
wp-rocket
Fixed in 2.10.4

References

CVE
CVE-2017-11658
URL
https://wp-rocket.me/changelog
URL
https://gist.github.com/Shinkurt/157dbb3767c9489f3d754f79b183a890

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
5484d821-7017-47a8-90d8-7d87cb5e0e50

Timeline

Publicly Published
2017-06-22 (about 8 years ago)
Added
2017-07-28 (about 8 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2026-03-02
Title
Page Builder by SiteOrigin < 2.34.0 - Contributor+ Local File Inclusion
Published
2026-01-16
Title
Gutenberg Thim Blocks < 1.0.2 - Authenticated (Contributor+) Arbitrary File Read via 'iconSVG' Parameter
Published
2022-01-31
Title
Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI
Published
2025-03-06
Title
Ultimate Video Player < 10.1 - Unauthenticated Arbitrary File Download
Published
2024-09-03
Title
WP Job Portal < 2.1.7 - Missing Authorization to Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation