Title: Security risk
Last modified: May 8, 2025

---

# Security risk

 *  Resolved [Bob](https://wordpress.org/support/users/toggerybob/)
 * (@toggerybob)
 * [1 year ago](https://wordpress.org/support/topic/security-risk-31/)
 * Issue Details
 * CVSS Score **7.5**
 * #WordPress List category posts <= 0.90.3 – Local File Inclusion Vulnerability
   -
   Vulnerability type: Local File Inclusion-No Update Available
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fsecurity-risk-31%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 15 replies - 1 through 15 (of 15 total)

 *  [bokibe](https://wordpress.org/support/users/bokibe/)
 * (@bokibe)
 * [1 year ago](https://wordpress.org/support/topic/security-risk-31/#post-18457847)
 * Same isue here: [View in Patchstack](https://patchstack.com/database/vulnerability/list-category-posts/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability?_a_id=431)
 *  [Bodhipaksa](https://wordpress.org/support/users/haecceity/)
 * (@haecceity)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/#post-18464097)
 * The report I got from Wordfence said that the vulnerability “makes it possible
   for authenticated attackers, with contributor-level access and above, to include
   and execute arbitrary files on the server.” So it sounds like if you’re a single-
   user site there’s no immediate risk?
 *  [markilus](https://wordpress.org/support/users/markilus/)
 * (@markilus)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/#post-18465069)
 * Probably save if you are a single-user. Still hope this is getting fixed asap!
 *  [cwjordan](https://wordpress.org/support/users/cwjordan/)
 * (@cwjordan)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/#post-18466229)
 * Per Github the developer is aware and is working on a patch. The Github comments
   suggest that markilus and Bodhipaksa (above) are correct. Oh, fix came out just
   now 0.91.0.
    -  This reply was modified 12 months ago by [cwjordan](https://wordpress.org/support/users/cwjordan/).
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/#post-18466265)
 * Version 0.91.0 just went out which should address the issue.
 * Sorry for the scare, but as Wordfende describes, the issue needs an _**authenticated
   attacker, with contributor-level access and above**, to include and execute arbitrary
   files on the server, allowing the execution of any PHP code in those files_. 
   So you’d need an authenticated attacker, with access to the server filesystem
   so they can upload/modify a file, to make use of this vulnerability.
 * The system would have been compromised already to use it. Most WordPress blogs
   are not in danger, unless a malicious user has already gained access to their
   website (in which case, the problems they could cause are much bigger than what
   they could achieve with List Category Posts).
 * Thanks, and hope you can keep enjoying the plugin 🙂
 *  [Bodhipaksa](https://wordpress.org/support/users/haecceity/)
 * (@haecceity)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/#post-18466376)
 * Thank you for the fix, Fernando!
 *  [hummelmose](https://wordpress.org/support/users/hummelmose/)
 * (@hummelmose)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/#post-18466579)
 * Thanks a mill. for the fix. I use this plugin for a lot of different scenarios,
   so keep up the very good work.
 *  [hummelmose](https://wordpress.org/support/users/hummelmose/)
 * (@hummelmose)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/#post-18468538)
 * Hi there – Sadly the fix still has the issue.
 * [https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability?_a_id=431](https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability?_a_id=431)
 * I hope You will give it another go 🙂
 *  [bokibe](https://wordpress.org/support/users/bokibe/)
 * (@bokibe)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/#post-18468870)
 * [@hummelmose](https://wordpress.org/support/users/hummelmose/): Seems you have
   still version 0-90-3 (see your URL)
 * However I still have it too with 0.91.0
   WordPress List category posts <= 0.91.0–
   Local File Inclusion Vulnerability[View in Patchstack](https://patchstack.com/database/vulnerability/list-category-posts/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability?_a_id=431)
 *  [hummelmose](https://wordpress.org/support/users/hummelmose/)
 * (@hummelmose)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/#post-18468965)
 * [@bokibe](https://wordpress.org/support/users/bokibe/) – Nope – I have Version
   0.9.1 – installed it as soon as it was released.
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/page/2/#post-18469022)
 * The issue for 0.91.0 is a new one indeed. It is marked as **Low priority**:
 * **“This security issue has a low severity impact and is unlikely to be exploited.”**
 * The update in 0.91.0 makes it so that you can only include template files from
   the `list-category-posts` directory in your theme’s directory. File inclussion
   is a core functionality of the template system, it lets users create their own
   templates by uploading a file and referencing it with the shortcode. For this
   to be used as an exploit, a malicious actor needs to have access to uploading/
   editing files on the server and editing posts with Contributor+ permissions. 
   As I mentioned before, by this point the system would be absolutely compromised
   and what can be done with the plugin is minimal in comparison to having a compromised
   server and WordPress system.
 * I’d like to fix this, but I don’t know if what’s expected is to completely remove
   the feature? A user with access to a WordPress system and the server is always
   going to be able to manipulate PHP files and include them wherever. I’m open 
   to ideas.
 * I also think the reports make it look very alarming and don’t make it clear enough
   that this “vulnerability” needs a completely compromised system.
 *  [hummelmose](https://wordpress.org/support/users/hummelmose/)
 * (@hummelmose)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/page/2/#post-18469071)
 * Hi [@fernandobt](https://wordpress.org/support/users/fernandobt/)
 * Thanks for the feedback. have a great weekend.
 *  Thread Starter [Bob](https://wordpress.org/support/users/toggerybob/)
 * (@toggerybob)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/page/2/#post-18469893)
 * We’re out. Thanks anyway.
 *  [tunixnl](https://wordpress.org/support/users/tunixnl/)
 * (@tunixnl)
 * [10 months, 2 weeks ago](https://wordpress.org/support/topic/security-risk-31/page/2/#post-18529080)
 * Hi Fernando,
 * I know it’s not high prio, but you think it will be fixed? Our security plugin
   keeps giving us warnings.
 * We use it a lot, so it would be great if it gets fixed.
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [7 months, 3 weeks ago](https://wordpress.org/support/topic/security-risk-31/page/2/#post-18645624)
 * Patchstack has now marked the issue fixed in version 0.92.0:
   [https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability](https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability)
 * As mentioned before, this is not an issue for single-user instances, and it’s
   very low risk for systems with several users. But it’s marked as fixed if you
   update to version 0.92.0. Thanks.

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘Security risk’ is closed to new replies.

 * ![](https://ps.w.org/list-category-posts/assets/icon-256x256.png?rev=2517221)
 * [List category posts](https://wordpress.org/plugins/list-category-posts/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/list-category-posts/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/list-category-posts/)
 * [Active Topics](https://wordpress.org/support/plugin/list-category-posts/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/list-category-posts/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/list-category-posts/reviews/)

 * 22 replies
 * 8 participants
 * Last reply from: [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * Last activity: [7 months, 3 weeks ago](https://wordpress.org/support/topic/security-risk-31/page/2/#post-18645624)
 * Status: resolved