CVE-2021-25052

Name of the Vulnerable Software and Affected Versions The Button Generator WordPress plugin versions prior to 2.3.3

Description The issue allows for the inclusion of arbitrary files with PHP extension, as well as files using the data:// or http:// protocols, within the wow-company admin menu page. This can lead to CSRF RCE.

Recommendations For versions prior to 2.3.3, update to version 2.3.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the wow-company admin menu page to minimize the risk of exploitation. Avoid using the include() function with untrusted input until the issue is resolved.