Title: Fernando Briano's Replies | WordPress.org

---

# Fernando Briano

  [  ](https://wordpress.org/support/users/fernandobt/)

 *   [Profile](https://wordpress.org/support/users/fernandobt/)
 *   [Topics Started](https://wordpress.org/support/users/fernandobt/topics/)
 *   [Replies Created](https://wordpress.org/support/users/fernandobt/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/fernandobt/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/fernandobt/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/fernandobt/engagements/)
 *   [Favorites](https://wordpress.org/support/users/fernandobt/favorites/)

 Search replies:

## Forum Replies Created

Viewing 15 replies - 1 through 15 (of 703 total)

1 [2](https://wordpress.org/support/users/fernandobt/replies/page/2/?output_format=md)
[3](https://wordpress.org/support/users/fernandobt/replies/page/3/?output_format=md)…
[45](https://wordpress.org/support/users/fernandobt/replies/page/45/?output_format=md)
[46](https://wordpress.org/support/users/fernandobt/replies/page/46/?output_format=md)
[47](https://wordpress.org/support/users/fernandobt/replies/page/47/?output_format=md)
[→](https://wordpress.org/support/users/fernandobt/replies/page/2/?output_format=md)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] PHP 8.4 issue](https://wordpress.org/support/topic/php-8-4-issue-2/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [2 months, 3 weeks ago](https://wordpress.org/support/topic/php-8-4-issue-2/#post-18824343)
 * Thanks!
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] PHP 8.4 issue](https://wordpress.org/support/topic/php-8-4-issue-2/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [2 months, 3 weeks ago](https://wordpress.org/support/topic/php-8-4-issue-2/#post-18823837)
 * Hi [@aliamm](https://wordpress.org/support/users/aliamm/), version 0.94.0 is 
   out where I tried to address this issue. Let me know if it’s still a problem 
   in your site after updating. Thanks!
 *   Forum: [Reviews](https://wordpress.org/support/forum/reviews/)
    In reply to:
   [[List category posts] Fantastic](https://wordpress.org/support/topic/fantastic-3479/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [2 months, 4 weeks ago](https://wordpress.org/support/topic/fantastic-3479/#post-18819275)
 * Thank you kindly for your review! 🙂
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] post_status not working anymore after update to 0.93.0](https://wordpress.org/support/topic/post_status-not-working-anymore-after-update-to-0-93-0/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [6 months, 1 week ago](https://wordpress.org/support/topic/post_status-not-working-anymore-after-update-to-0-93-0/#post-18707594)
 * [@sarahtopfstaedt](https://wordpress.org/support/users/sarahtopfstaedt/) version
   0.93.1 is out with a fix for this issue. Please update and let me know if it’s
   fixed for you, thanks!
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] post_status not working anymore after update to 0.93.0](https://wordpress.org/support/topic/post_status-not-working-anymore-after-update-to-0-93-0/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [6 months, 1 week ago](https://wordpress.org/support/topic/post_status-not-working-anymore-after-update-to-0-93-0/#post-18704924)
 * Hi [@sarahtopfstaedt](https://wordpress.org/support/users/sarahtopfstaedt/), 
   thanks for reporting this. We’ve identified the issue and are working on a patch
   release to fix the bug. I’ll update this post once the release is out, thanks!
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] SECURITY RISK](https://wordpress.org/support/topic/security-risk-32/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [7 months, 3 weeks ago](https://wordpress.org/support/topic/security-risk-32/page/2/#post-18645626)
 * Patchstack has now marked the issue fixed in version 0.92.0:
   [https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability](https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability)
 * As mentioned before, this is not an issue for single-user instances, and it’s
   very low risk for systems with several users. But it’s marked as fixed if you
   update to version 0.92.0. Thanks.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] Security risk](https://wordpress.org/support/topic/security-risk-31/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [7 months, 3 weeks ago](https://wordpress.org/support/topic/security-risk-31/page/2/#post-18645624)
 * Patchstack has now marked the issue fixed in version 0.92.0:
   [https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability](https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability)
 * As mentioned before, this is not an issue for single-user instances, and it’s
   very low risk for systems with several users. But it’s marked as fixed if you
   update to version 0.92.0. Thanks.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] Vulnerability posted by Wordfence](https://wordpress.org/support/topic/vulnerability-posted-by-wordfence/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [7 months, 3 weeks ago](https://wordpress.org/support/topic/vulnerability-posted-by-wordfence/page/2/#post-18645494)
 * Oh, hadn’t seen that message, Patchstack has marked it as fixed, thanks [@mountain-hiker-1](https://wordpress.org/support/users/mountain-hiker-1/)!
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] Vulnerability posted by Wordfence](https://wordpress.org/support/topic/vulnerability-posted-by-wordfence/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [7 months, 3 weeks ago](https://wordpress.org/support/topic/vulnerability-posted-by-wordfence/page/2/#post-18645484)
 * I got in touch with both Patchstack and Wordfence yesterday after releasing the
   new version. I haven’t heard back from them yet.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] SECURITY RISK](https://wordpress.org/support/topic/security-risk-32/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [8 months, 2 weeks ago](https://wordpress.org/support/topic/security-risk-32/page/2/#post-18614573)
 * This is an issue with the systems reporting a red flag on the plugin. As [the report](https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability)
   says, **the security issue has a low severity impact and is unlikely to be exploited**.
   I think it’s good to let users know of potential issues, but the risk here is
   extremely low. **A WordPress system won’t be any less secure by using this plugin**.
   To get to the level of compromise needed to “exploit this vulnerability”, the
   system would be extremely vulnerable in many other dangerous ways. There is no
   planned “fix” at the moment, as this is a core feature of the plugin and we don’t
   consider it a security vulnerability.
 * This plugin has been built as a voluntary effort in the spirit of free software.
   I understand others have built their businesses out of using free software, but
   this is not a business to us.
 * You are obviously free to stop using the plugin if you’re not happy with any 
   of this.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] Security risk](https://wordpress.org/support/topic/security-risk-31/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/page/2/#post-18469022)
 * The issue for 0.91.0 is a new one indeed. It is marked as **Low priority**:
 * **“This security issue has a low severity impact and is unlikely to be exploited.”**
 * The update in 0.91.0 makes it so that you can only include template files from
   the `list-category-posts` directory in your theme’s directory. File inclussion
   is a core functionality of the template system, it lets users create their own
   templates by uploading a file and referencing it with the shortcode. For this
   to be used as an exploit, a malicious actor needs to have access to uploading/
   editing files on the server and editing posts with Contributor+ permissions. 
   As I mentioned before, by this point the system would be absolutely compromised
   and what can be done with the plugin is minimal in comparison to having a compromised
   server and WordPress system.
 * I’d like to fix this, but I don’t know if what’s expected is to completely remove
   the feature? A user with access to a WordPress system and the server is always
   going to be able to manipulate PHP files and include them wherever. I’m open 
   to ideas.
 * I also think the reports make it look very alarming and don’t make it clear enough
   that this “vulnerability” needs a completely compromised system.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List categories] Styling Parent Cats](https://wordpress.org/support/topic/styling-parent-cats/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [12 months ago](https://wordpress.org/support/topic/styling-parent-cats/#post-18467456)
 * Hi, yes, the plugin is still being supported.
 * To have the parent categories displayed as bold text, I came up with something
   like this:
 *     ```wp-block-code
       .cat-item {  font-weight: bold;}ul.children .cat-item {  font-weight: normal;}
       ```
   
 * I think you could also solve this by using the `:not` operator to select `li`
   items with the `.cat-item` class, that are not children of `children`.
 * For your second question:
 *     ```wp-block-code
       ul.children {  padding-top: 20px;}
       ```
   
 * This code will add 20px between the parent categories and their children.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] Security risk](https://wordpress.org/support/topic/security-risk-31/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-31/#post-18466265)
 * Version 0.91.0 just went out which should address the issue.
 * Sorry for the scare, but as Wordfende describes, the issue needs an _**authenticated
   attacker, with contributor-level access and above**, to include and execute arbitrary
   files on the server, allowing the execution of any PHP code in those files_. 
   So you’d need an authenticated attacker, with access to the server filesystem
   so they can upload/modify a file, to make use of this vulnerability.
 * The system would have been compromised already to use it. Most WordPress blogs
   are not in danger, unless a malicious user has already gained access to their
   website (in which case, the problems they could cause are much bigger than what
   they could achieve with List Category Posts).
 * Thanks, and hope you can keep enjoying the plugin 🙂
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] SECURITY RISK](https://wordpress.org/support/topic/security-risk-32/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [12 months ago](https://wordpress.org/support/topic/security-risk-32/#post-18466264)
 * Version 0.91.0 just went out which should address the issue.
 * Sorry for the scare, but as Wordfende describes, the issue needs an _**authenticated
   attacker, with contributor-level access and above**, to include and execute arbitrary
   files on the server, allowing the execution of any PHP code in those files_. 
   So you’d need an authenticated attacker, with access to the server filesystem
   so they can upload/modify a file, to make use of this vulnerability.
 * The system would have been compromised already to use it. Most WordPress blogs
   are not in danger, unless a malicious user has already gained access to their
   website (in which case, the problems they could cause are much bigger than what
   they could achieve with List Category Posts).
 * Thanks, and hope you can keep enjoying the plugin 🙂
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[List category posts] Link “read more” to post](https://wordpress.org/support/topic/link-read-more-to-post/)
 *  Plugin Author [Fernando Briano](https://wordpress.org/support/users/fernandobt/)
 * (@fernandobt)
 * [2 years, 1 month ago](https://wordpress.org/support/topic/link-read-more-to-post/#post-17509968)
 * Hi [@brisch](https://wordpress.org/support/users/brisch/), you can find the parameter`
   posts_morelink` in [the documentation](https://github.com/picandocodigo/List-Category-Posts/wiki/More-parameters-you-can-use):
 * **posts_morelink** – Include a “read more” link after each post. It receives 
   a string of characters as a parameter which will be used as the text of the link.
   Example: `[catlist id=38 posts_morelink="Read more about this post"]`

Viewing 15 replies - 1 through 15 (of 703 total)

1 [2](https://wordpress.org/support/users/fernandobt/replies/page/2/?output_format=md)
[3](https://wordpress.org/support/users/fernandobt/replies/page/3/?output_format=md)…
[45](https://wordpress.org/support/users/fernandobt/replies/page/45/?output_format=md)
[46](https://wordpress.org/support/users/fernandobt/replies/page/46/?output_format=md)
[47](https://wordpress.org/support/users/fernandobt/replies/page/47/?output_format=md)
[→](https://wordpress.org/support/users/fernandobt/replies/page/2/?output_format=md)