CVE-2019-1010257

Name of the Vulnerable Software and Affected Versions: article2pdf Wordpress plugin versions 0.24 through 0.27

Description: An Information Disclosure / Data Modification issue exists in the article2pdf getfile.php file. A URL can be constructed to override the PDF file's path, allowing the download of any PDF file whose path is known and readable to the web server. The file will be deleted after download if the web server has permission to do so. For PHP versions before 5.3, any file can be read by null terminating the string left of the file extension.

Recommendations: For versions 0.24 through 0.27, consider disabling the article2pdf getfile.php file until a patch is available to prevent exploitation. Restrict access to sensitive PDF files to minimize the risk of unauthorized download. Avoid using PHP versions before 5.3, as they are more susceptible to file reading vulnerabilities. At the moment, there is no information about a newer version that contains a fix for this vulnerability.