CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5.
Explanation of Vulnerability in Simple Terms
Portfolio Builder versions 1.2.5 and earlier contain a code injection vulnerability that allows unauthenticated attackers to execute arbitrary code on the site. The vulnerability requires specific conditions to exploit but can result in complete compromise of the site, including data theft and unauthorized modifications. Site administrators should update immediately to a patched version.
What an attacker can do
Run their own code on the site without authentication.
Potential impact on your site
Complete site compromise: attackers can steal data, modify content, create admin accounts, or take the site offline.
Conditions required to exploit
Network access to the site; specific conditions must be met to trigger the vulnerability.
Key dates
External resources
Related vulnerabilities
