High Priority – 8.2.7 version is vulnerable to Local File Inclusion

    • Maria Hincapie
      Membre
      # il y a 3 semaines

      We please your plugin to be updated with the latest security fix for this newly-found vulnerability:
      Risks:
      CVSS 7.5
      This vulnerability is highly dangerous and expected to become mass exploited.
      7.5
      Local File Inclusion
      This could allow a malicious actor to include local files of the target website and show its output onto the screen. Files which store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration.

      More info here: https://patchstack.com/database/wordpress/plugin/customer-area/vulnerability/wordpress-wp-customer-area-plugin-8-2-7-local-file-inclusion-vulnerability?_a_id=431
      And here: https://cwe.mitre.org/data/definitions/98.html
      https://www.cve.org/CVERecord?id=CVE-2025-60201

    • Maria Hincapie
      Membre
      # il y a 2 semaines et 5 jours

      In addition to the report previously supplied, please see report from Wordfence https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/customer-area/customer-area-827-unauthenticated-local-file-inclusion

    • Matias Larralde
      Maître des clés
      # il y a 2 semaines et 4 jours

      Hi Maria,

      Thank you for bringing this important security issue to our attention. We are aware of the vulnerability in WP Customer Area 8.2.7 and are actively working on a patch.

      We will notify you as soon as the fix is available.

      We apologize for the inconvenience.

      Best regards,
      The WP Customer Area Team

      • Maria Hincapie
        Membre
        # il y a 5 jours et 21 heures

        Hello,
        Has the security patch been released in the Version: 8.3.0? My security scanner is still picking up the vulnerability when I activate version 8.3.0.
        Please advise.

      • Emmanuel Diop
        Maître des clés
        # il y a 5 jours et 12 heures

        Hi Maria,
        Thank you for your message.

        Yes, the security patch addressing the LFI vulnerability is included in version 8.3.0, so this issue should no longer appear in your scanner.
        The screenshot you sent refers to version 8.2.7 and earlier, which suggests that Patchstack may not have updated its database yet.

        We are also preparing another release later this week that will bring additional hardening and improvements, but nothing critical on your side — version 8.3.0 already addresses the vulnerability reported.

        Best regards,
        Emmanuel

    • Danijel Marin
      Membre
      # il y a 2 semaines et 3 jours

      @Matias, is there a timeline when these latest Security Issues will be addressed?

      According to Wordfence this seems to be a Critical Problem:

      * The Plugin “WP Customer Area” has a security vulnerability.

      Vulnerability Severity: 8.1/10.0 (High) Vulnerability Information

      WP Customer Area

      We don’t want our websites and/or our client’s data to be exposed or hacked, so please let us know when can we expect fixed and updated version that would solve security issues as well as WP and PHP compatibility issues that i wrote about earlier?

      Regards, Danijel

      • Emmanuel Diop
        Maître des clés
        # il y a 5 jours et 12 heures
        Cette réponse a été marquée comme étant privée.
Vous lisez 3 fils de discussion

You must be logged in to reply to this topic.