Vulnerability: - Type: Local File Include - Location: GD bbPress Attachments - Description: Allows attackers to include arbitrary PHP files. An attacker with admin access can exploit this vulnerability to include any PHP file on the server, potentially leading to resource exhaustion or arbitrary code execution if arbitrary PHP file upload is possible. - Current State: Fixed CVSS Summary: - Score: 4.3 Medium - Vector: Network - Complexity: Medium - Authentication: None - Confidentiality: None - Integrity: None - Availability: Partial Additional Information: - Discovered by: Mallory Adams and dxwsupport - Advisory ID: dxw-2015-1991 - CVE: CVE-2015-5482 - Component/Package: GD bbPress Attachments - Homepage: GD bbPress Attachments - Version: 2.1 Proof of Concept: - URL causing infinite loop: Advisory Timeline: - 2015-02-25: Discovered - 2015-07-01: Reported to vendor via email form on - 2015-07-01: Requested CVE - 2015-07-01: Vendor responded - 2015-07-09: Vendor confirmed fix - 2015-07-09: Published Mitigation/Further Actions: - Upgrade to version 2.2 or later