Unauthenticated Local File Inclusion | ww.wp.xz.cn

Gabriel Christian
(@ebhukhosy)

10 months, 3 weeks ago

The Essential Real Estate plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 5.2.1. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Is the team working on getting this fixed?

Full report on https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/essential-real-estate/essential-real-estate-521-unauthenticated-local-file-inclusion

The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)

chazcdes
(@chazcdes)

10 months, 2 weeks ago

I have the same critical error appearing on my site, I really enjoy this plugin and hope to hear from the team on a update on a fix. @Gabriel Christian have you heard anything from anyone regarding this? If not, what direction did you head in to secure your site?

Andy
(@routetoweb)

8 months, 3 weeks ago

Still an issue in 5.2.2 according to https://patchstack.com/database/wordpress/plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-5-2-1-local-file-inclusion-vulnerability?_a_id=350

chazcdes
(@chazcdes)

8 months, 3 weeks ago

That’s so sad, thanks Andy (@routetoweb) for your update.

Andy
(@routetoweb)

7 months, 3 weeks ago

A month on from my last post and still not an update. However Wordfence doesn’t flag it up as an issue, so is it fixed and Patchstack have it wrong?

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Unauthenticated Local File Inclusion’ is closed to new replies.

5 replies
3 participants
Last reply from: Andy
Last activity: 7 months, 3 weeks ago
Status: not resolved