CVE request: WordPress plugin wppageflip index.php pageflipbook_language parameter traversal local file inclusion

[Henri Salo <henri () nerv fi>]

Can I get 2012 CVE for following vulnerability in A Page Flip Book plugin for
WordPress (wppageflip), thanks.

Description:

A Page Flip Book Plugin for WordPress contains a flaw that may allow a remote
attacker to execute arbitrary commands or code. This issue is triggered when
input passed to the wp-content/plugins/wppageflip/pageflipbook.php script from
index.php is not properly sanitizing user input, specifically directory
traversal style attacks (e.g., ../../) supplied to the 'pageflipbook_language'
parameter. This may allow an attacker to include a file from the targeted host
that contains arbitrary commands or code that will be executed by the vulnerable
script. Such attacks are limited due to the script only calling files already on
the target host. In addition, this flaw can potentially be used to disclose the
contents of any file on the system accessible by the web server.

Plugin page: http://wordpress.org/plugins/wppageflip/
Discussion:
http://wordpress.org/support/topic/pageflipbook-pageflipbook_language-parameter-local-file-inclusion
Related:
http://ceriksen.com/2012/07/10/wordpress-a-page-flip-book-plugin-local-file-inclusion-vulnerability/
http://secunia.com/advisories/49505/

I was unable to reproduce this vulnerability in version 3.0 of this plugin so
fixed in the latest version at least. Other versions not tested.

---
Henri Salo

Attachment: signature.asc
Description: Digital signature