CVE-2022-0779

Name of the Vulnerable Software and Affected Versions User Meta WordPress plugin versions prior to 2.4.4

Description The issue concerns the User Meta WordPress plugin, where the filepath parameter of its um show uploaded file AJAX action is not properly validated. This could allow low-privileged users, such as subscribers, to enumerate local files on the web server via path traversal payloads.

Recommendations For versions prior to 2.4.4, update to version 2.4.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the um show uploaded file AJAX action to prevent low-privileged users from exploiting the vulnerability.