CVE-2014-9014

Name of the Vulnerable Software and Affected Versions WP Marketplace plugin versions prior to 2.4.1

Description The issue allows remote authenticated users to download arbitrary files. This is achieved by exploiting a directory traversal vulnerability in the ajaxinit function, specifically by using a .. (dot dot) in the file parameter.

Recommendations For WP Marketplace plugin versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajaxinit function in the cart.php file to minimize the risk of exploitation. Avoid using the file parameter in the affected endpoint until the issue is resolved.