CVE-2024-12719

Medium CVSS: 4.3

The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wfu_ajax_action_read_subfolders' function in all versions up to, and including, 4.24.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform limited path traversal to view directories and subdirectories in WordPress. Files cannot be viewed.

Vendor

Iptanus

Product

Wordpress File Upload

CWE

CWE-862

Yayın Tarihi

2025-01-07 10:15:07

Güncelleme

2025-03-13 17:23:01

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-862 Wordpress File Upload MEDIUM Iptanus 2025

Referanslar

https://plugins.trac.wordpress.org/browser/wp-file-upload/trunk/lib/wfu_ajaxactions.php#L849 https://plugins.trac.wordpress.org/changeset/3217005/ https://www.wordfence.com/threat-intel/vulnerabilities/id/314ae0f5-8a4e-4bf3-9fc9-49f5b036b99e?source=cve

Benzer Kayıtlar

Medium

CVE-2024-13494

The WordPress File Upload plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and in…

High

CVE-2024-9939

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.2…

Critical

CVE-2024-11635

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi…

Critical

CVE-2024-11613

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrar…