Description
WordPress Plugin Fusion Engage is prone to a local file disclosure vulnerability because it fails to adequately validate user-supplied input. Exploiting this vulnerability could allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application; this may aid in further attacks. WordPress Plugin Fusion Engage version 1.0.5 is vulnerable; other versions may also be affected.
Remediation
Edit the source code to ensure that input is properly verified or disable the plugin until a fix is available
References
http://seclists.org/fulldisclosure/2015/Apr/27
http://packetstormsecurity.com/files/131379/WordPress-Fusion-Engage-Local-File-Disclosure.html
Related Vulnerabilities
WordPress Plugin Buddypress Xprofile Custom Fields Type Arbitrary File Deletion (2.6.3)
WordPress 4.4.x Cross-Domain Flash Injection Vulnerability (4.4 - 4.4.13)
WordPress Plugin MailUp newsletter sign-up form Security Bypass (1.3.2)
WordPress Plugin Thank You Counter Button Cross-Site Scripting (1.8.2)
WordPress Plugin ProPlayer 'pp_playlist_id' Parameter SQL Injection (4.7.7)