Player Leaderboard Plugin Vulnerability

The Player Leaderboard plugin is a WordPress plugin used to display player statistics on gaming websites. This vulnerability allows attackers to execute arbitrary PHP code on the server by including and executing malicious files via the 'player_leaderboard' shortcode, which is vulnerable to Local File Inclusion (LFI). If an attacker can manipulate this shortcode with user-supplied input, they can bypass access controls, obtain sensitive data, or achieve full remote code execution.

You're affected if you use Player Leaderboard. Specific version info not stated in the advisory.

Upgrade to Player Leaderboard plugin version 1.0.3 or later from the official WordPress Plugin Directory (https://wordpress.org/plugins/player-leaderboard/) or through your WordPress dashboard.
- If immediate upgrade isn't possible, restrict network access to your WordPress installation and ensure no user-supplied input is used in the 'player_leaderboard' shortcode.

• plugins.trac.wordpress.org
• plugins.trac.wordpress.org
• www.wordfence.com