WordPress Phlox Theme Premium Portfolio Features Plugin Local File Inclusion Vulnerability

A Local File Inclusion (LFI) vulnerability has been identified in the Premium Portfolio Features for Phlox theme plugin for WordPress, affecting all versions up to and including 2.3.10. The vulnerability arises from the 'args[extra_template_path]' parameter, allowing unauthenticated attackers to include and execute arbitrary PHP files on the server. This exploitation could lead to unauthorized code execution, access to sensitive data, or bypassing access controls, particularly in scenarios where PHP files can be uploaded and included.

Impact

Exploitation of this vulnerability could result in unauthorized execution of PHP code on the server, potentially leading to a complete compromise of the affected WordPress site.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the 'args[extra_template_path]' parameter set to a path that includes a malicious PHP file. The request can be made through the WordPress admin-ajax.php file, which is accessible to all users.

Remediation

Users are advised to update the Phlox Portfolio Features plugin to version 2.3.12 or later.