CVE-2014-8801

Name of the Vulnerable Software and Affected Versions Paid Memberships Pro plugin versions prior to 1.7.15

Description The issue allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY STRING in a getfile action to "wp-admin/admin-ajax.php". This is a directory traversal vulnerability in the services/getfile.php file.

Recommendations For versions prior to 1.7.15, update to version 1.7.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-ajax.php" endpoint for the getfile action to minimize the risk of exploitation.