Description
Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php.
Remediation
References
Related Vulnerabilities
WordPress Plugin Easy Social Icons Multiple Vulnerabilities (1.2.3.1)
WordPress Plugin WP Poll Maker-Best WordPress Poll for Voting Contest Arbitrary File Upload (3.4)
PHP Use of Externally-Controlled Format String Vulnerability (CVE-2015-8617)
MySQL CVE-2018-2775 Vulnerability (CVE-2018-2775)
WordPress 'wp-admin/admin.php' Module Configuration Security Bypass Vulnerability (0.6.2 - 2.8)