diff --git a/CHANGELOG b/CHANGELOG
index c00e86354..5502314ae 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -43,6 +43,7 @@ CHANGELOG Roundcube Webmail
 - Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
 - Security: Fix XSS issue in handling of CDATA in HTML messages
 - Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
+- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
 
 RELEASE 1.4.3
 -------------
diff --git a/program/lib/Roundcube/rcube_plugin_api.php b/program/lib/Roundcube/rcube_plugin_api.php
index dfa078882..7446829fa 100644
--- a/program/lib/Roundcube/rcube_plugin_api.php
+++ b/program/lib/Roundcube/rcube_plugin_api.php
@@ -164,6 +164,14 @@ class rcube_plugin_api
             $plugins_dir = unslashify($dir->path);
         }
 
+        // Validate the plugin name to prevent from path traversal
+        if (preg_match('/[^a-zA-Z0-9_-]/', $plugin_name)) {
+            rcube::raise_error(array('code' => 520,
+                    'file' => __FILE__, 'line' => __LINE__,
+                    'message' => "Invalid plugin name: $plugin_name"), true, false);
+            return false;
+        }
+
         // plugin already loaded?
         if (!$this->plugins[$plugin_name]) {
             $fn = "$plugins_dir/$plugin_name/$plugin_name.php";
@@ -283,6 +291,14 @@ class rcube_plugin_api
         $fn   = unslashify($dir->path) . "/$plugin_name/$plugin_name.php";
         $info = false;
 
+        // Validate the plugin name to prevent from path traversal
+        if (preg_match('/[^a-zA-Z0-9_-]/', $plugin_name)) {
+            rcube::raise_error(array('code' => 520,
+                    'file' => __FILE__, 'line' => __LINE__,
+                    'message' => "Invalid plugin name: $plugin_name"), true, false);
+            return false;
+        }
+
         if (!class_exists($plugin_name, false)) {
             if (is_readable($fn)) {
                 include($fn);