CVE-2022-2184 – CAPTCHA 4WP < 7.1.0 - Local File Inclusion via CSRF

https://notcve.org/view.php?id=CVE-2022-2184

The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a sensitive require_once call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server. El plugin CAPTCHA 4WP de WordPress versiones anteriores a 7.1.0, permite que la entrada del usuario llegue a una llamada confidencial require_once en una de sus plantillas del lado del administrador. Esto puede ser abusado por atacantes, por medio de un ataque de tipo Cross-Site Request Forgery para ejecutar código arbitrario en el servidor The CAPTCHA 4WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.0.6.1. This makes it possible for unauthenticated attackers to inject malicious code, resulting in remote code execution, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/e777784f-5ba0-4966-be27-e0a0cbbfe056 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-352: Cross-Site Request Forgery (CSRF) •