A Path Traversal vulnerability exists in Roundcube versions before 1.4.4, 1.3.11 and 1.2.10.
Because the "_plugins_<PLUGIN_NAME>" parameters do not perform sanitization/input filtering, an attacker with access to the Roundcube Installer can leverage a path traversal vulnerability to include arbitrary PHP files on the local system.
The vendor's disclosure and fix for this vulnerability can be found here.
This vulnerability requires:
- Access to the Roundcube Webmail installer component
- Write access to the target's filesystem
More details and the exploitation process can be found in this PDF.