Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows PHP Local File Inclusion.This issue affects Geo Mashup: from n/a through <= 1.13.16.
The vulnerability results from improper file name validation in PHP include/require instructions (CWE-98). An attacker can manipulate input parameters in such a way that the application includes and executes an arbitrary local PHP file on the server. Authentication or user interaction is not required, and the attack is possible directly over the network.
An attacker can gain full access to sensitive data on the server, modify website content, or cause it to become unavailable. In favorable circumstances, remote code execution (RCE) on the target server is also possible.
Patches available from the vendor should be applied according to the references — update the Geo Mashup plugin to a version higher than 1.13.16 immediately after release by the author or WordPress repository.
Geo Mashup plugin by Dylan Kuhn for WordPress in versions from n/a to 1.13.16 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H