Local File Inclusion vulnerability in Form Maker By WD (Pro) <= 1.12.18

We found a local file inclusion vulnerability in Form Maker By WD plugin (Pro version). A free version has over 100,000+ active installs.

Details about the vulnerability:

A form_maker_ajax_frontend function is hooked to AJAX actions such as: wp_ajax_nopriv_get_frontend_stats, wp_ajax_nopriv_frontend_show_map, wp_ajax_nopriv_frontend_generate_csv. The problem with this function is that it gets the name of the file to include from HTTP GET variable, then includes that page. You can include a PHP file from any directory.

The vulnerability was fixed in 1.12.18 version after reporting it to the author.