Vulnerabilities > CVE-2021-38360 - Inclusion of Functionality from Untrusted Control Sphere vulnerability in Wp-Publications Project Wp-Publications

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

wp-publications-project

CWE-829

NVD

Published: 2021-09-10

Updated: 2021-09-21

Summary

The wp-publications WordPress plugin is vulnerable to restrictive local file inclusion via the Q_FILE parameter found in the ~/bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution, in versions up to and including 0.0.

Vulnerable Configurations

Part	Description	Count
Application	Wp-Publications_Project WP Publications Project WP Publications -	1

Common Weakness Enumeration (CWE)

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

References

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38360
https://plugins.trac.wordpress.org/browser/wp-publications/trunk/bibtexbrowser.php?rev=1830330#L49