PT-2024-38804 · WordPress · Wp Extended
Marco Wotschka
·
Published
2024-09-04
·
Updated
2024-09-05
·
CVE-2024-8104
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
WP Extended plugin for WordPress versions up to, and including, 3.0.8
Description:
The issue allows authenticated attackers, with subscriber access and above, to read the contents of arbitrary files on the server, which can contain sensitive information, via the
download file ajax function. This enables potential exposure of sensitive data on the server.Recommendations:
For WP Extended plugin for WordPress versions up to, and including, 3.0.8, update to version 3.0.9 to secure your site.
As a temporary workaround, consider disabling the
download file ajax function until a patch is available.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Extended