PT-2014-3299 · WordPress · Advanced Dewplayer Plugin

Henrisalo

Published

2014-01-02

Updated

2014-02-25

CVE-2013-7240

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Advanced Dewplayer plugin version 1.2 for WordPress

Description The issue allows remote attackers to read arbitrary files via a .. (dot dot) in the dew file parameter in the download-file.php file.

Recommendations For Advanced Dewplayer plugin version 1.2, consider restricting access to the download-file.php file until a patch is available, or avoid using the dew file parameter in the affected endpoint.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2013-7240

Affected Products

Advanced Dewplayer Plugin

PT-2014-3299 · WordPress · Advanced Dewplayer Plugin

CVE-2013-7240

Weakness Enumeration

Related Identifiers

Affected Products

References · 7