WordPress Subscribe to Comments Local File Inclusion and Arbitrary Code Execution Vulnerability

A local file inclusion vulnerability allowing arbitrary file execution has been identified in the Subscribe to Comments WordPress plugin, affecting versions through 2.1.2. This vulnerability arises from improper handling of the 'Path to header' value, enabling authenticated attackers with administrative privileges to include and execute arbitrary files on the server. Exploitation of this vulnerability could lead to bypassing access controls, accessing sensitive information, or executing PHP code in scenarios where 'safe' file types can be uploaded and included.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive data, execution of malicious code on the server, and privilege escalation on systems where the administrator lacks server control.

Reproduction

To reproduce this vulnerability, navigate to the WordPress admin panel and go to 'Options' under the 'Subscribe to Comments' plugin. In the 'Path to header' field, enter a path to a file you wish to include, such as '/etc/passwd'. After submitting the form, the specified file will be included and its contents can be accessed.

Remediation

Users are advised to upgrade to version 2.3 or later.