Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1.
The error classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) involves the plugin failing to properly validate user input before passing it to PHP include or require functions. An attacker can supply a crafted file path, causing the application to include an arbitrary file located on the server. Under specific conditions, this can lead to execution of malicious PHP code contained in such a file.
An attacker can read sensitive files from the server (e.g., database configuration, credentials) and — under favorable conditions — execute arbitrary PHP code, which threatens complete server takeover.
The BuilderPress plugin should be updated to a version higher than 2.0.1. Details regarding the available patch version should be verified in the vendor's references and in the Patchstack database at the address indicated in the CVE description.
WordPress ThimPress BuilderPress plugin in versions from n/a to 2.0.1 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H