Title: SECURITY RISK Last modified: May 13, 2025 --- # SECURITY RISK * Resolved [maciejrzeszutko](https://wordpress.org/support/users/maciejrzeszutko/) * (@maciejrzeszutko) * [11 months, 1 week ago](https://wordpress.org/support/topic/security-risk-32/) * **List category posts has a known vulnerability that may be affecting this version.****– ≤ 0.90.3** * This vulnerability appears to be unpatched. Stay tuned for upcoming plugin updates. * **Path Traversal: ‘…/…//’** * _The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘…/…//’ (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory._ * Global score: 7.5 / 10 * Severity: High * [[+]](https://www.cve.org/CVERecord?id=CVE-2025-47636) CVE-2025-47636 [[+]](https://euvd.enisa.europa.eu/enisa/EUVD-2025-13750) EUVD-2025-13750 Viewing 15 replies - 1 through 15 (of 16 total) 1 [2](https://wordpress.org/support/topic/security-risk-32/page/2/?output_format=md) [→](https://wordpress.org/support/topic/security-risk-32/page/2/?output_format=md) * [Sea Jay](https://wordpress.org/support/users/jcollier/) * (@jcollier) * [11 months, 1 week ago](https://wordpress.org/support/topic/security-risk-32/#post-18465817) * We just received that notification, too. I hope this is updated very soon since we love using it. * Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/) * (@fernandobt) * [11 months, 1 week ago](https://wordpress.org/support/topic/security-risk-32/#post-18466264) * Version 0.91.0 just went out which should address the issue. * Sorry for the scare, but as Wordfende describes, the issue needs an _**authenticated attacker, with contributor-level access and above**, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files_. So you’d need an authenticated attacker, with access to the server filesystem so they can upload/modify a file, to make use of this vulnerability. * The system would have been compromised already to use it. Most WordPress blogs are not in danger, unless a malicious user has already gained access to their website (in which case, the problems they could cause are much bigger than what they could achieve with List Category Posts). * Thanks, and hope you can keep enjoying the plugin 🙂 * [Sea Jay](https://wordpress.org/support/users/jcollier/) * (@jcollier) * [11 months, 1 week ago](https://wordpress.org/support/topic/security-risk-32/#post-18467468) * Thank you for the update and the context! * [redthruviolet](https://wordpress.org/support/users/redthruviolet/) * (@redthruviolet) * [10 months, 3 weeks ago](https://wordpress.org/support/topic/security-risk-32/#post-18491734) * We have version 0.91.0, which shows the Security Risk in Jetpack Protect. Do you have an idea when it will be fixed? * [slewisma](https://wordpress.org/support/users/slewisma/) * (@slewisma) * [10 months, 1 week ago](https://wordpress.org/support/topic/security-risk-32/#post-18505657) * Fernando, does your comment about 0.91.0 having just went out mean that you will be addressing the vulnerability, just not immediately since you just did a release? Clients get nervous when they see the warning from Wordfence, Jetpack, etc. I understand the risk is low due to the needed access levels and that Wordfence’s WAF may provide protection anyway. It’d be good to be able to tell the clients that the risk is minimal and that a future update will address it rather than not knowing if it will be addressed or not. Thanks! * [btwebmedia](https://wordpress.org/support/users/btwebmedia/) * (@btwebmedia) * [10 months, 1 week ago](https://wordpress.org/support/topic/security-risk-32/#post-18508025) * Is there an update to the 0.91 version? It’s being dinged as a security risk. Thanks for your help. * [JohnnieGR](https://wordpress.org/support/users/johnniegr/) * (@johnniegr) * [10 months, 1 week ago](https://wordpress.org/support/topic/security-risk-32/#post-18511997) * [https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability](https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability) * [natebald](https://wordpress.org/support/users/natebald/) * (@natebald) * [10 months, 1 week ago](https://wordpress.org/support/topic/security-risk-32/#post-18514145) * Patchstack and otehr DB are still reporting security risk, is there a fix going to be released soon? * [SprialOwner](https://wordpress.org/support/users/sprialowner/) * (@sprialowner) * [9 months, 4 weeks ago](https://wordpress.org/support/topic/security-risk-32/#post-18528285) * Hi there! I’m just checking in to see if the current security issue is being addressed. This week it has shown up on ManageWP. (via Patchstack) I only ask because in our monthly reports, our clients will see the vulnerability and will have questions. Thank you so much! * [Rand HOPPE](https://wordpress.org/support/users/rand-hoppe/) * (@rand-hoppe) * [9 months, 3 weeks ago](https://wordpress.org/support/topic/security-risk-32/#post-18538031) * Yep. .91 still kicking off a report from Solid Security (since May 15) * [slackernaomi](https://wordpress.org/support/users/slackernaomi/) * (@slackernaomi) * [7 months, 4 weeks ago](https://wordpress.org/support/topic/security-risk-32/#post-18611192) * Still unpatched. * Any plans to patch it? It gives me anxiety. * [slewisma](https://wordpress.org/support/users/slewisma/) * (@slewisma) * [7 months, 4 weeks ago](https://wordpress.org/support/topic/security-risk-32/page/2/#post-18611276) * Wordfence and ManageWP still show it as vulnerable too which gives clients anxiety. * Plugin Contributor [zymeth25](https://wordpress.org/support/users/zymeth25/) * (@zymeth25) * [7 months, 4 weeks ago](https://wordpress.org/support/topic/security-risk-32/page/2/#post-18611330) * Please read Fernando’s reply above, it explains the issue in enough detail. It’s worth adding that in the current version users are only allowed to include files from the dedicated template directory, server administrators put LCP templates there for later use. This is the core of the template feature of this plugin, to “fix” the reported vulnerability would be to remove the feature, which is unacceptable for most users. * Admins with write access create templates and it’s their responsibility to maintain secure templates. So this is clearly not a contributor level privilege escalation issue as the report suggests. * [SprialOwner](https://wordpress.org/support/users/sprialowner/) * (@sprialowner) * [7 months, 3 weeks ago](https://wordpress.org/support/topic/security-risk-32/page/2/#post-18614334) * We understand what Fernando is saying but our clients who see the listed vulnerability on their monthly reports aren’t able to understand what is happening. All they see if the red flag. Could you please fix it so we don’t have to keep trying to answer their panicked questions? * Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/) * (@fernandobt) * [7 months, 3 weeks ago](https://wordpress.org/support/topic/security-risk-32/page/2/#post-18614573) * This is an issue with the systems reporting a red flag on the plugin. As [the report](https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability) says, **the security issue has a low severity impact and is unlikely to be exploited**. I think it’s good to let users know of potential issues, but the risk here is extremely low. **A WordPress system won’t be any less secure by using this plugin**. To get to the level of compromise needed to “exploit this vulnerability”, the system would be extremely vulnerable in many other dangerous ways. There is no planned “fix” at the moment, as this is a core feature of the plugin and we don’t consider it a security vulnerability. * This plugin has been built as a voluntary effort in the spirit of free software. I understand others have built their businesses out of using free software, but this is not a business to us. * You are obviously free to stop using the plugin if you’re not happy with any of this. Viewing 15 replies - 1 through 15 (of 16 total) 1 [2](https://wordpress.org/support/topic/security-risk-32/page/2/?output_format=md) [→](https://wordpress.org/support/topic/security-risk-32/page/2/?output_format=md) The topic ‘SECURITY RISK’ is closed to new replies. * ![](https://ps.w.org/list-category-posts/assets/icon-256x256.png?rev=2517221) * [List category posts](https://wordpress.org/plugins/list-category-posts/) * [Frequently Asked Questions](https://wordpress.org/plugins/list-category-posts/#faq) * [Support Threads](https://wordpress.org/support/plugin/list-category-posts/) * [Active Topics](https://wordpress.org/support/plugin/list-category-posts/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/list-category-posts/unresolved/) * [Reviews](https://wordpress.org/support/plugin/list-category-posts/reviews/) * 24 replies * 12 participants * Last reply from: [Fernando Briano](https://wordpress.org/support/users/fernandobt/) * Last activity: [7 months ago](https://wordpress.org/support/topic/security-risk-32/page/2/#post-18645626) * Status: resolved