Description
WordPress Plugin Child Theme Creator by Orbisius is prone to an arbitrary file modification vulnerability because it fails to properly verify user-supplied input. An attacker can exploit this vulnerability to modify local files in the context of the web server process, which may result in privilege escalation; other attacks are also possible. WordPress Plugin Child Theme Creator by Orbisius version 1.2.6 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 1.2.8 or latest
References
http://cinu.pl/research/wp-plugins/mail_28c91eee00e8e4b5868ebc58b5b1f730.html
https://wordpress.org/plugins/orbisius-child-theme-creator/changelog/
Related Vulnerabilities
WordPress Plugin WP Super Cache Cache Poisoning (1.8)
WordPress 4.1.x Arbitrary File Deletion Vulnerability (4.1 - 4.1.23)
WordPress Plugin Subscriber by BestWebSoft Cross-Site Scripting (1.3.4)
WordPress Plugin WPFront Scroll Top Cross-Site Scripting (2.0.6.07225)
Drupal Core 4.7.x Multiple Cross-Site Scripting Vulnerabilities (4.7.0 - 4.7.3)