Patchstack now reports this issue has been fixed by version 0.92.0
https://patchstack.com/database/wordpress/plugin/list-category-posts/vulnerability/wordpress-list-category-posts-0-90-3-local-file-inclusion-vulnerability
It was never a critical issue if you are using strong unique passwords and 2FA to prevent unauthorized logins for users with Contributor privileges or higher.
I got in touch with both Patchstack and Wordfence yesterday after releasing the new version. I haven’t heard back from them yet.
Oh, hadn’t seen that message, Patchstack has marked it as fixed, thanks @mountain-hiker-1!
Thanks for your attention to this, @fernandobt and @zymeth25!
In case it is helpful, here are some tips from Wordfence for securing local file inclusion when it is needed: https://www.wordfence.com/blog/2025/10/how-to-find-local-file-inclusion-lfi-vulnerabilities-in-wordpress-plugins-and-themes/#how-to-prevent-lfi-vulnerabilities
Not sure if these are practical in the List Category Posts code or not but thought I’d post them here in case they’re helpful for addressing the security risk while not breaking an important part of how the plugin works.
