A high-severity vulnerability has been identified in the Player Leaderboard plugin for WordPress. This flaw, known as Local File Inclusion (LFI), could allow an unauthenticated attacker to access and read sensitive files on the web server, such as configuration files containing database credentials. Successful exploitation could lead to a significant data breach or provide the attacker with information needed to conduct further, more damaging attacks against the server.

The Player Leaderboard plugin fails to properly sanitize user-supplied input that is used in file paths. This allows an attacker to manipulate input parameters to include local files from the server's file system. An unauthenticated remote attacker can exploit this by crafting a specific request that includes directory traversal sequences (e.g., ../) to navigate outside of the intended directory and access arbitrary files that the web server process has permissions to read.

This is a High severity vulnerability with a CVSS score of 8.8. Exploitation could have a severe impact on the business, leading to the unauthorized disclosure of sensitive information. Potential consequences include the exposure of database credentials from files like wp-config.php, theft of proprietary application source code, and leakage of system user information from files like /etc/passwd. This breach of confidentiality could result in regulatory fines, reputational damage, and could serve as a foothold for attackers to escalate privileges and achieve a full system compromise.

Immediate Action: Update the Player Leaderboard plugin to the latest patched version immediately. If the plugin is not critical for business operations, the recommended course of action is to disable and completely remove it to eliminate this attack vector. After updating or removing the plugin, verify that the site remains functional and the vulnerability is no longer present.

Proactive Monitoring: Monitor web server access logs for requests to the Player Leaderboard plugin containing directory traversal patterns such as ../, ..%2f, or absolute file paths. Implement a File Integrity Monitoring (FIM) solution to alert on any unauthorized access or changes to critical system and configuration files, including wp-config.php.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules designed to detect and block Local File Inclusion and directory traversal attempts. Additionally, harden the server's PHP configuration by restricting file access with the open_basedir directive to prevent PHP from accessing files outside of the authorized web root directories.

Public Exploit Available: false

Given the High severity (CVSS 8.8) of this vulnerability and the potential for complete information disclosure, we strongly recommend immediate action. Organizations must prioritize the deployment of the vendor-provided update for the Player Leaderboard plugin across all affected WordPress instances. Although this CVE is not currently on the CISA KEV list, its critical nature makes it a significant threat that should be addressed with the highest urgency to prevent potential system compromise and data exfiltration.