CVE-2018-25324

Name of the Vulnerable Software and Affected Versions Simple Fields versions 0.2 through 0.3.5

Description A local file inclusion issue allows unauthenticated attackers to read arbitrary files, such as /etc/passwd, by injecting null bytes into the wp abspath parameter within the 'simple fields.php' file. This occurs on PHP versions prior to 5.3.4. Additionally, if the allow url include setting is enabled, attackers can inject PHP code into Apache logs to achieve remote code execution.

Recommendations Update Simple Fields to a version later than 0.3.5. As a temporary mitigation, restrict access to the 'simple fields.php' file or avoid using the wp abspath parameter until the update is applied.