WHMpress WordPress Integration Plugin Local File Inclusion Vulnerability
Vulnerability
A local file inclusion vulnerability has been identified in the WHMpress - WHMCS WordPress Integration Plugin, affecting all versions through 6.3-revision-0. The vulnerability arises in the whmpress_domain_search_ajax_extended_results() function, allowing unauthenticated attackers to include and execute arbitrary files on the server. This exploitation can bypass access controls, access sensitive data, or execute PHP code in uploaded files. Additionally, it enables attackers to update arbitrary options on the WordPress site, potentially granting administrative access by manipulating user roles.
Impact
Exploitation of this vulnerability could lead to unauthorized file inclusion, execution of arbitrary PHP code, and unauthorized updates to WordPress options, including user roles.
Remediation
Users are advised to update the WHMpress - WHMCS WordPress Integration Plugin to version 6.3-revision-1 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.