Admin-only local file inclusion and arbitrary code execution in Subscribe to Comments 2.1.2


Last revised:

Administrators can perform Local File include attacks, which is a privilege escalation on systems where the administrator doesn’t have control over the server.

If administrators can upload PHP files (or any file which can contain “<?php …”), they can also perform arbitrary code execution by the same method.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 8 High
Vector Network
Complexity Low
Authentication Single
Confidentiality Complete
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Advisory timeline

2013-08-07: Discovered
2015-07-13: Reported to vendor by email
2015-07-13: Requested CVE
2015-07-14: Vendor responded confirming fixed in version 2.3
2015-07-14: Published

Mitigation/further actions

Upgrade to version 2.3 or later