Vulnerability Description
PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gwolle Guestbook Project | Gwolle Guestbook | <= 1.5.3 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/134599/WordPress-Gwolle-Guestbook-1.5.3-RemThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/archive/1/537020/100/0/threaded
- https://wordpress.org/plugins/gwolle-gb/changelog/Third Party Advisory
- https://www.exploit-db.com/exploits/38861/Third Party AdvisoryVDB Entry
- https://www.htbridge.com/advisory/HTB23275Third Party Advisory
- http://packetstormsecurity.com/files/134599/WordPress-Gwolle-Guestbook-1.5.3-RemThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/archive/1/537020/100/0/threaded
- https://wordpress.org/plugins/gwolle-gb/changelog/Third Party Advisory
- https://www.exploit-db.com/exploits/38861/Third Party AdvisoryVDB Entry
- https://www.htbridge.com/advisory/HTB23275Third Party Advisory
FAQ
What is CVE-2015-8351?
CVE-2015-8351 is a vulnerability with a CVSS score of 9.0 (CRITICAL). PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code vi...
How severe is CVE-2015-8351?
CVE-2015-8351 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2015-8351?
Check the references section above for vendor advisories and patch information. Affected products include: Gwolle Guestbook Project Gwolle Guestbook.