Arbitrary File Inclusion Vulnerability in Stars Testimonials Plugin
CVE-2024-11429

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Free Responsive Testimonials, Social Proof Reviews, And Customer Reviews – Stars Testimonials
Vendor
CVE Published:
5 December 2024

Summary

The Stars Testimonials plugin for WordPress, developed by Free Responsive Testimonials, contains a Local File Inclusion vulnerability that affects all versions up to and including 3.3.3. Through the use of the 'stars-testimonials-with-slider-and-masonry-grid' shortcode, authenticated users with contributor-level access or higher can exploit this vulnerability. This allows attackers to include and execute arbitrary PHP files on the server, which can lead to unauthorized access to sensitive data and the potential execution of malicious PHP code. The vulnerability poses significant security risks as it enables bypassing access controls and may facilitate further exploitation on compromised systems.

Affected Version(s)

Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials * <= 3.3.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/stars-testimon...
https://plugins.trac.wordpress.org/browser/stars-testimon...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peter Thaleikis
.