CVE-2015-8351

critical

Description

PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.

References

Advisories
More

https://www.htbridge.com/advisory/HTB23275

https://www.exploit-db.com/exploits/38861/

https://wordpress.org/plugins/gwolle-gb/changelog/

http://packetstormsecurity.com/files/134599/WordPress-Gwolle-Guestbook-1.5.3-Remote-File-Inclusion.html

http://www.securityfocus.com/archive/1/537020/100/0/threaded

Details

Source: Mitre, NVD

Published: 2017-09-11

Updated: 2026-05-13

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.37032