CVE-2022-1560

Name of the Vulnerable Software and Affected Versions Amministrazione Aperta WordPress plugin versions prior to 3.8

Description The issue is related to a Local File Inclusion problem due to the lack of validation of the open parameter before using it in an include statement. Although initially thought to be exploitable by unauthenticated users, the affected file generates a fatal error when accessed directly, preventing the affected code from being reached. However, exploitation is possible via the dashboard when logged in as an admin or by tricking a logged-in admin into opening a malicious link.

Recommendations For versions prior to 3.8, update to version 3.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the dashboard and limiting the ability of admins to open links from untrusted sources. Avoid using the open parameter in include statements until the issue is resolved.