WordPress Ach Invoice App Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the WordPress Ach Invoice App plugin, affecting versions through 1.0.1. This vulnerability arises from improper control of filenames in include or require statements, allowing PHP remote file inclusion that could be exploited to include local files from the server.

Impact

Exploitation of this vulnerability could allow a malicious actor to include local files from the server and display their contents. This could potentially lead to a complete takeover of the database, depending on the configuration, as files containing sensitive information like database credentials could be accessed.

Remediation

Users are advised to update to a version of the Ach Invoice App plugin that is not vulnerable to this issue. However, since this software is likely abandoned and no official fix is available, it is recommended to remove and replace the plugin with an alternative. Patchstack offers a virtual patch to mitigate this vulnerability by blocking attacks until an official fix can be applied.