CVE-2008-0196

Name of the Vulnerable Software and Affected Versions WordPress versions 2.0.11 and earlier

Description The issue allows remote attackers to read arbitrary files by using a .. (dot dot) in the page parameter to certain PHP scripts under wp-admin/ or the import parameter to wp-admin/admin.php. Attackers can also modify arbitrary files via a .. (dot dot) in the file parameter to wp-admin/templates.php. This can be exploited to discover the full path of the application by requesting the ....wp-config pathname.

Recommendations For WordPress versions 2.0.11 and earlier, consider updating to a version later than 2.0.11 to resolve the issue. As a temporary workaround, restrict access to the wp-admin/templates.php and wp-admin/admin.php scripts to minimize the risk of exploitation. Avoid using the page and import parameters in the affected API endpoints until the issue is resolved.