WordPress Plugin Vulnerabilities

YARPP - Yet Another Related Posts Plugin < 5.30.5 - Subscriber+ LFI

Description

The plugin does not validate a parameter before using it in an include statement, allowing any authenticated users, such as subscriber to perform LFI attacks

Affects Plugins

Plugin icon
yet-another-related-posts-plugin
Fixed in 5.30.5

References

CVE
CVE-2022-45374

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
Yes
WPVDB ID
b34976b3-54c3-45b7-86a0-387ee0a4b680

Timeline

Publicly Published
2023-04-18 (about 1 years ago)
Added
2023-04-22 (about 1 years ago)
Last Updated
2023-07-19 (about 10 months ago)

Other

Published
Title
Published
2024-02-08
Title
Honeypot for WP Comment <= 2.2.3 - Directory Traversal to Unauthenticated Arbitrary File Deletion
Published
2023-10-11
Title
Icegram Express < 5.6.24 - Admin+ Directory Traversal
Published
2017-09-20
Title
WordPress 3.0-4.8.1 - Path Traversal in Unzipping
Published
2017-12-28
Title
Church Admin 0.33.2.1 - Unauthenticated Directory Traversal
Published
2016-08-15
Title
Ajax Load More <= 2.11.1 - Local File Inclusion (LFI)