PT-2024-23748 · WordPress · The Spectra – Wordpress Gutenberg Blocks
Ancorn
+1
·
Published
2024-05-02
·
Updated
2024-05-11
·
CVE-2024-3107
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
The Spectra – WordPress Gutenberg Blocks plugin versions up to, and including, 2.12.6
Description
The issue allows authenticated attackers with contributor-level permissions and above to read the contents of any files named attributes.php on the server, which can contain sensitive information. This is achieved via the
get block default attributes function.Recommendations
For versions up to, and including, 2.12.6, update to a version that contains a fix for this issue to prevent path traversal attacks.
As a temporary workaround, consider restricting access to the
get block default attributes function until a patch is available.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Spectra – Wordpress Gutenberg Blocks