Critical severity9.0NVD Advisory· Published Sep 11, 2017· Updated May 13, 2026

CVE-2015-8351

Description

PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.

Affected products

Gwolle Guestbook Project/Gwolle Guestbook
cpe:2.3:a:gwolle_guestbook_project:gwolle_guestbook:*:*:*:*:*:wordpress:*:*
Range: <=1.5.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/134599/WordPress-Gwolle-Guestbook-1.5.3-Remote-File-Inclusion.htmlnvdThird Party AdvisoryVDB Entry
wordpress.org/plugins/gwolle-gb/changelog/nvdThird Party Advisory
www.exploit-db.com/exploits/38861/nvdThird Party AdvisoryVDB Entry
www.htbridge.com/advisory/HTB23275nvdThird Party Advisory
www.securityfocus.com/archive/1/537020/100/0/threadednvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.056
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000