WordPress Plugin Vulnerabilities

WANotifier < 2.6 - Subscriber+ LFI

Description

The plugin does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.

Proof of Concept

Affects Plugins

Fixed in 2.6

References

Classification

Type
LFI
OWASP top 10
CWE
CVSS

Miscellaneous

Original Researcher
Project Black
Submitter
Project Black
Submitter twitter
Verified
Yes

Timeline

Publicly Published
2026-06-15 (about 22 days ago)
Added
2026-06-15 (about 22 days ago)
Last Updated
2026-06-15 (about 22 days ago)

Other