PT-2024-37192 · WordPress · Wordpress File Upload
Colin Xu
·
Published
2024-07-16
·
Updated
2024-08-07
·
CVE-2024-5852
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
WordPress File Upload plugin for WordPress versions up to, and including, 4.24.7
Description:
The issue allows authenticated attackers with Contributor-level access and above to upload limited files to arbitrary locations on the web server due to a Directory Traversal vulnerability. This is possible via the
uploadpath parameter of the "wordpress file upload" shortcode.Recommendations:
For WordPress File Upload plugin for WordPress versions up to, and including, 4.24.7:
Update to a version later than 4.24.7 to resolve the issue.
As a temporary workaround, consider restricting access to the
uploadpath parameter in the wordpress file upload shortcode to minimize the risk of exploitation.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wordpress File Upload