Traveler WordPress Theme Local File Inclusion Vulnerability
Vulnerability
A local file inclusion vulnerability has been identified in the Traveler theme for WordPress, affecting all versions through 3.1.8. The issue arises in the 'hotel_alone_slider' shortcode, specifically within the 'style' attribute. This vulnerability allows authenticated attackers with contributor-level permissions or higher to include and execute arbitrary files on the server. Consequently, any PHP code contained in those files could be executed. This vulnerability could be exploited to bypass access controls, access sensitive information, or achieve code execution in scenarios where PHP files can be uploaded and included.
Impact
Exploitation of this vulnerability could lead to unauthorized file inclusion, allowing attackers to execute arbitrary PHP code on the server. This could be used to bypass access controls, access sensitive data, or execute malicious code, especially in cases where uploaded PHP files can be included and executed.
Remediation
Users are advised to update the Traveler WordPress theme to version 3.2.0 or a later patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.