Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 BeeTeam368 Extensions beeteam368-extensions allows PHP Local File Inclusion.This issue affects BeeTeam368 Extensions: from n/a through <= 1.9.4.
The vulnerability results from improper file name control used in PHP include/require instructions (CWE-98). An attacker can supply a crafted file path which the plugin then includes without proper validation. This allows reading or executing local files of the server operating system that the PHP process has access to. The exploit requires no authentication, user interaction, or special environment configuration.
An attacker can read confidential system files (e.g., configurations, credentials) and potentially execute PHP code present on the server, leading to complete takeover of the application and server, data disclosure, and system integrity violation.
Apply patches available from the vendor according to the references. It is recommended to immediately update the plugin to a version higher than 1.9.4 or deactivate and remove it until a patched version is released. Details are available in the Patchstack database at the indicated reference address.
BeeTeam368 Extensions plugin for WordPress in versions from its inception through 1.9.4 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H