Vulnerabilities > CVE-2021-38360 - Inclusion of Functionality from Untrusted Control Sphere vulnerability in Wp-Publications Project Wp-Publications

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

wp-publications-project

CWE-829

critical

NVD

Published: 2021-09-10

Updated: 2021-09-21

Summary

The wp-publications WordPress plugin is vulnerable to restrictive local file inclusion via the Q_FILE parameter found in the ~/bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution, in versions up to and including 0.0.

Vulnerable Configurations

Part	Description	Count
Application	Wp-Publications_Project WP Publications Project WP Publications -	1

Common Weakness Enumeration (CWE)

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

References

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38360
https://plugins.trac.wordpress.org/browser/wp-publications/trunk/bibtexbrowser.php?rev=1830330#L49