CVE-2021-24820 – Cost Calculator <= 1.6 - Authenticated Local File Inclusion

https://notcve.org/view.php?id=CVE-2021-24820

The Cost Calculator WordPress plugin through 1.6 allows authenticated users (Contributor+ in versions < 1.5, and Admin+ in versions <= 1.6) to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout El plugin de Cost Calculator de WordPress hasta la versión 1.6 permite a los usuarios autentificados (Contributor+ en las versiones anteriores a la versión 1.5, y Admin+ en las versiones anteriores o iguales a la versión 1.6) realizar el path traversal y la inclusión de archivos PHP locales en los servidores web de Windows a través del Layout del post Cost Calculator. The Cost Calculator WordPress plugin through 1.7 allows authenticated users (Contributor+ in versions < 1.5, and Admin+ in versions <= 1.8) to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout • https://wpscan.com/vulnerability/47652b24-a6f0-4bbc-834e-496b88523fe7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •