Local File Inclusion Vulnerability in WHMpress WordPress Plugin
CVE-2024-9193

9.8CRITICAL

Key Information:

Vendor: Creativeon
Status: Whmpress - Whmcs WordPress Integration Plugin
Vendor: CVE Published:; 28 February 2025

Summary

The WHMpress - WHMCS WordPress Integration Plugin is susceptible to a Local File Inclusion vulnerability, allowing unauthenticated users to include arbitrary files on the server through the whmpress_domain_search_ajax_extended_results() function. This flaw can be exploited to execute PHP code, potentially bypassing access controls and compromising sensitive data. Attackers may gain administrative access by manipulating the site's registration options and leveraging the /admin/services.php file, leading to a severe security breach.

Affected Version(s)

WHMpress - WHMCS WordPress Integration Plugin * <= 6.3-revision-0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://whmpress.com/docs/change-log/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 28, 2025
Vulnerability Reserved
Sep 25, 2024

Credit

Tonn