[GHSA-g6mj-j7h3-8gxq] Improper Control of Filename for Include/Require...#7129
[GHSA-g6mj-j7h3-8gxq] Improper Control of Filename for Include/Require...#7129sjinks wants to merge 1 commit intosjinks/advisory-improvement-7129from
Conversation
github-actions
bot
changed the base branch from
main
to
sjinks/advisory-improvement-7129
There was a problem hiding this comment.
Pull request overview
This PR modifies the GitHub Security Advisory GHSA-g6mj-j7h3-8gxq (CVE-2026-28039) for the wpDataTables WordPress plugin, which has a Local File Inclusion vulnerability. The contributor argues the vulnerability is harder to exploit than originally assessed (admin-only, constrained file paths) and attempts to correct the affected products, severity, and other metadata.
Changes:
- Adds a
summaryfield and anaffectedblock listingwpdatatablesas a Packagist package (with fix in 6.5.0.2) - Removes the CVSS v3 severity score entirely and downgrades
database_specific.severityfrom "HIGH" to "LOW" - Adds a
PACKAGEreference URL pointing to the WordPress.org plugin download
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "summary": "WordPress wpDataTables Plugin <= 6.5.0.1 is vulnerable to a Local File Inclusion", | ||
| "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.This issue affects wpDataTables: from n/a through <= 6.5.0.1.", | ||
| "severity": [ | ||
| "severity": [], |
There was a problem hiding this comment.
The CVSS v3 score (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) has been completely removed, leaving "severity": []. Other advisories in this repository consistently retain their CVSS scores (e.g., GHSA-226g-qx73-56w6, GHSA-2465-v3qx-qvx6). If the intent is to downgrade severity, the CVSS vector should be updated to reflect the lower severity rather than removed entirely, as this loses machine-readable severity information.
| "severity": [], | |
| "severity": [ | |
| { | |
| "type": "CVSS_V3", | |
| "score": "8.1", | |
| "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" | |
| } | |
| ], |
| "package": { | ||
| "ecosystem": "Packagist", | ||
| "name": "wpdatatables" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "6.5.0.2" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } |
There was a problem hiding this comment.
The package name wpdatatables is not a valid Packagist package name. Packagist follows the vendor/package naming convention (e.g., devcode-it/openstamanager, solspace/craft-freeform). wpDataTables is a WordPress plugin, not a Composer package on Packagist. The PR description even acknowledges this: "I've set the ecosystem to 'composer' because otherwise the system does not allow me to submit the correction."
Adding this entry with the wrong ecosystem could incorrectly flag unrelated packages. Other WordPress plugin advisories in this repository (e.g., GHSA-2465-v3qx-qvx6) correctly use "affected": [] since there is no appropriate ecosystem for WordPress plugins in the advisory schema. This affected block should be removed or left empty until the schema supports a WordPress ecosystem.
Updates
Comments
Dynamic includes (chart/column builders):
6.5.0.1/source/class.wpdatachart.php:468–471and6.5.0.1/source/class.wpdatacolumn.php:674use unsanitizedrequire_once()targets, but both are admin-only operations (nonce + capability protected), not unauthenticated.The LFI itself is hardly exploitable because you have to deal with the
.wpdatachart.phpsuffix and theclass.prefix (guarded by capability check):or the second dynamic
require(guarded by capability and nonce check):Because PHP does not allow embedding
\0into filenames (for like 15 years), this makes it nearly impossible to exploit this "vulnerability".Note: I've set the ecosystem to "composer" because otherwise the system does not allow me to submit the correction.