PT-2017-12154 · Innovatech · Wp Rocket

Published

2017-07-26

Updated

2017-08-04

CVE-2017-11658

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions WP Rocket plugin version 2.9.3

Description The issue concerns the Local File Inclusion mitigation technique in the WP Rocket plugin, which trims traversal characters (..) but is insufficient to prevent remote attacks. This weakness can be exploited by using 0x00 bytes, as shown in a .%00.../.%00.../ attack.

Recommendations For WP Rocket plugin version 2.9.3, consider disabling the Local File Inclusion feature until a patch is available to prevent potential remote attacks.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2017-11658

Affected Products

Wp Rocket

PT-2017-12154 · Innovatech · Wp Rocket

CVE-2017-11658

Weakness Enumeration

Related Identifiers

Affected Products

References · 5