The report I got from Wordfence said that the vulnerability “makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server.” So it sounds like if you’re a single-user site there’s no immediate risk?
Probably save if you are a single-user. Still hope this is getting fixed asap!
Per Github the developer is aware and is working on a patch. The Github comments suggest that markilus and Bodhipaksa (above) are correct. Oh, fix came out just now 0.91.0.
-
This reply was modified 9 months, 1 week ago by
cwjordan.
Version 0.91.0 just went out which should address the issue.
Sorry for the scare, but as Wordfende describes, the issue needs an authenticated attacker, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. So you’d need an authenticated attacker, with access to the server filesystem so they can upload/modify a file, to make use of this vulnerability.
The system would have been compromised already to use it. Most WordPress blogs are not in danger, unless a malicious user has already gained access to their website (in which case, the problems they could cause are much bigger than what they could achieve with List Category Posts).
Thanks, and hope you can keep enjoying the plugin 🙂
Thank you for the fix, Fernando!
Thanks a mill. for the fix. I use this plugin for a lot of different scenarios, so keep up the very good work.
@hummelmose: Seems you have still version 0-90-3 (see your URL)
However I still have it too with 0.91.0
WordPress List category posts <= 0.91.0 – Local File Inclusion Vulnerability
View in Patchstack
@bokibe – Nope – I have Version 0.9.1 – installed it as soon as it was released.
The issue for 0.91.0 is a new one indeed. It is marked as Low priority:
“This security issue has a low severity impact and is unlikely to be exploited.”
The update in 0.91.0 makes it so that you can only include template files from the list-category-posts directory in your theme’s directory. File inclussion is a core functionality of the template system, it lets users create their own templates by uploading a file and referencing it with the shortcode. For this to be used as an exploit, a malicious actor needs to have access to uploading/editing files on the server and editing posts with Contributor+ permissions. As I mentioned before, by this point the system would be absolutely compromised and what can be done with the plugin is minimal in comparison to having a compromised server and WordPress system.
I’d like to fix this, but I don’t know if what’s expected is to completely remove the feature? A user with access to a WordPress system and the server is always going to be able to manipulate PHP files and include them wherever. I’m open to ideas.
I also think the reports make it look very alarming and don’t make it clear enough that this “vulnerability” needs a completely compromised system.
Hi @fernandobt
Thanks for the feedback. have a great weekend.
Thread Starter
Bob
(@toggerybob)
We’re out. Thanks anyway.
Hi Fernando,
I know it’s not high prio, but you think it will be fixed? Our security plugin keeps giving us warnings.
We use it a lot, so it would be great if it gets fixed.
Patchstack has now marked the issue fixed in version 0.92.0:
https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability
As mentioned before, this is not an issue for single-user instances, and it’s very low risk for systems with several users. But it’s marked as fixed if you update to version 0.92.0. Thanks.
