WordPress Plugin Vulnerabilities
WANotifier < 2.6 - Subscriber+ LFI
Description
The plugin does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.
Proof of Concept
Affects Plugins
References
Classification
Type
LFI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Project Black
Submitter
Project Black
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-15 (about 22 days ago)
Added
2026-06-15 (about 22 days ago)
Last Updated
2026-06-15 (about 22 days ago)