Full Disclosure local file inclusion "0 day" vulnerability
A post today on the Full Disclosure list disclosed a "0 day" local file inclusion vulnerability. We've already fixed it for 2.2.6 and in 2.3, but the person who discovered it didn't wait until the release as we requested to disclose it.
As is often the case with these self-promotional messages, the likely impact is greatly exaggerated for nearly all real world use cases. A variety of people who aren't really looking at the issue see "LFI/RCE" and start spewing misleading things. Here is the reality of it.
A user with limited administrative rights having privileges to write files to the filesystem, and access to pkg.php or wizard.php pages, can escalate their privileges to that of a full administrator. In the vast majority of circumstances, admin users with rights to write files have full admin-level privileges, which makes it non-applicable.