WordPress Plugin Vulnerabilities

wp-publications - Local File Inclusion

Description

The plugin is vulnerable to restrictive local file inclusion via the Q_FILE parameter found in the ~/bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution

Affects Plugins

Plugin icon
wp-publications
No known fix

References

CVE
CVE-2021-38360
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38360

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
8.3 (high)

Miscellaneous

Original Researcher
p7e4
Verified
No
WPVDB ID
88f35108-fc01-4396-83ec-ef569eac81fe

Timeline

Publicly Published
2021-09-09 (about 4 years ago)
Added
2021-09-10 (about 4 years ago)
Last Updated
2022-04-09 (about 4 years ago)

Other

Published
Title
Published
2020-03-24
Title
Multiple plugins - Unauthenticated Dompdf Local File Inclusion (LFI)
Published
2025-02-21
Title
Theme File Duplicator <= 1.3 - Authenticated (Subscriber+) Arbitrary File Download
Published
2024-07-04
Title
JetThemeCore for Elementor < 2.2.1 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2025-03-14
Title
PluginPass <= 0.9.10 - Unauthenticated Arbitrary File Deletion
Published
2023-10-23
Title
ICS Calendar < 10.12.0.2 - Authenticated(Contributor+) Directory Traversal via _url_get_contents