Local File Inclusion Vulnerability in Subscribe to Comments Plugin by WordPress
CVE-2015-10133

7.2HIGH

Key Information:

Vendor: WordPress
Status: Subscribe To Comments
Vendor: CVE Published:; 19 July 2025

What is CVE-2015-10133?

The Subscribe to Comments plugin for WordPress is susceptible to Local File Inclusion (LFI) in versions up to and including 2.1.2. This vulnerability arises from the improper handling of the Path to header value, granting authenticated users with administrative privileges the ability to include and execute arbitrary files from the server. By exploiting this flaw, attackers can potentially bypass access controls and execute arbitrary PHP code, leading to data exposure or further system compromise through malicious file inclusion. The risk increases when the function is misused to upload and include files that should be considered safe.

Affected Version(s)

Subscribe to Comments * <= 2.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://advisories.dxw.com/advisories/admin-only-local-fi...

https://seclists.org/fulldisclosure/2015/Jul/71

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 19, 2025
Vulnerability Reserved
Jul 18, 2025

Credit

Tom Adams