Player Leaderboard WordPress Plugin Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the Player Leaderboard plugin for WordPress, affecting all versions through 1.0.2. The issue arises from the plugin's 'player_leaderboard' shortcode, which allows authenticated attackers with Contributor-level access and above to exploit an unsanitized user-supplied value in the 'mode' attribute. This lack of proper path validation enables the inclusion and execution of arbitrary PHP files on the server. If combined with file upload capabilities, this vulnerability could lead to full remote code execution.

Impact

Exploitation of this vulnerability allows for local file inclusion, with the potential to execute arbitrary PHP code on the server. This could be used to bypass access controls, access sensitive information, or achieve full remote code execution if file upload capabilities are also exploited.

Reproduction

To reproduce this vulnerability, use the 'player_leaderboard' shortcode and include an unsanitized value in the 'mode' attribute. This will trigger the local file inclusion by exploiting the lack of proper path validation, allowing the inclusion of arbitrary PHP files that can be executed on the server.

Remediation

Users are advised to update the Player Leaderboard plugin to version 1.0.3 or later.