Local-File-Inclusion

The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion (CVE-2026-9200) in versions up to 0.2.1, allowing authenticated attackers with contributor-level access and above to include and execute arbitrary PHP files on the server, potentially leading to privilege escalation and code execution.

The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion (LFI) in versions up to 4.1.0, allowing authenticated attackers with subscriber-level access to include and execute arbitrary PHP files on the server via the 'template' parameter, potentially leading to access control bypass, sensitive data access, or code execution.

A local file inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json` within esm.sh, allowing an attacker to publish a malicious npm package that causes the server to read arbitrary files from the host filesystem.

A vulnerability in OpenClaw versions 2026.4.7 to before 2026.4.15 allows a crafted tool-result media reference to cause the host to attempt local file reads or Windows UNC/network path access, potentially disclosing files or network credentials.