WordPress National Weather Service Alerts Plugin Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the WordPress National Weather Service Alerts plugin, affecting versions through 1.3.5. This vulnerability arises from improper control of filenames in include or require statements, allowing PHP remote file inclusion that could be exploited to access local files on the server.

Impact

Exploitation of this vulnerability could lead to unauthorized access to local files on the server, with the potential to read sensitive information such as database credentials. Depending on the server configuration, this could allow a complete takeover of the database.

Remediation

Users are advised to update to a version of the National Weather Service Alerts plugin that is not affected by this vulnerability. As of now, no official fix is available, but Patchstack has issued a virtual patch that can be applied.