CVE-2008-0196
published 2008-01-10CVE-2008-0196: Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the page…
PriorityP432medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
3.42%
87.4th percentile
Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the page parameter to certain PHP scripts under wp-admin/ or (2) the import parameter to wp-admin/admin.php, as demonstrated by discovering the full path via a request for the \..\..\wp-config pathname; and allow remote attackers to modify arbitrary files via a .. (dot dot) in the file parameter to wp-admin/templates.php.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 2.3.3-1 (bookworm) | wordpress 2.3.3-1 (bookworm) |
| wordpress | wordpress | <= 2.0.11 | — |
| wordpress | wordpress | >= 0 < 2.3.3-1 | 2.3.3-1 |
| wordpress | wordpress | >= 0 < 2.3.3-1 | 2.3.3-1 |
| wordpress | wordpress | >= 0 < 2.3.3-1 | 2.3.3-1 |
| wordpress | wordpress | >= 0 < 2.3.3-1 | 2.3.3-1 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2008-0196: wordpress - Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier all...
vendor_debian·2008·CVSS 5.0
CVE-2008-0196 [MEDIUM] CVE-2008-0196: wordpress - Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier all...
Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the page parameter to certain PHP scripts under wp-admin/ or (2) the import parameter to wp-admin/admin.php, as demonstrated by discovering the full path via a request for the \..\..\wp-config pathname; and allow remote attackers to modify arbitrary files via a .. (dot dot) in the file parameter to wp-admin/templates.php.
Scope: local
bookworm: resolved (fixed in 2.3.3-1)
bullseye: resolved (fixed in 2.3.3-1)
forky: resolved (fixed in 2.3.3-1)
sid: resolved (fixed in 2.3.3-1)
trixie: resolved (fixed in 2.3.3-1)
GHSA
GHSA-752f-j58r-mc8q: Multiple directory traversal vulnerabilities in WordPress 2
ghsa_unreviewed·2022-05-01
CVE-2008-0196 [MEDIUM] CWE-22 GHSA-752f-j58r-mc8q: Multiple directory traversal vulnerabilities in WordPress 2
Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the page parameter to certain PHP scripts under wp-admin/ or (2) the import parameter to wp-admin/admin.php, as demonstrated by discovering the full path via a request for the \..\..\wp-config pathname; and allow remote attackers to modify arbitrary files via a .. (dot dot) in the file parameter to wp-admin/templates.php.
OSV
CVE-2008-0196: Multiple directory traversal vulnerabilities in WordPress 2
osv·2008-01-10·CVSS 5.0
CVE-2008-0196 [MEDIUM] CVE-2008-0196: Multiple directory traversal vulnerabilities in WordPress 2
Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the page parameter to certain PHP scripts under wp-admin/ or (2) the import parameter to wp-admin/admin.php, as demonstrated by discovering the full path via a request for the \..\..\wp-config pathname; and allow remote attackers to modify arbitrary files via a .. (dot dot) in the file parameter to wp-admin/templates.php.
No detection rules found.
Bugzilla
CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ghostscript various flaws [F9]
bugzilla·2009-04-15·CVSS 5.0
CVE-2008-6679 [MEDIUM] CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ghostscript various flaws [F9]
CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ghostscript various flaws [F9]
F9 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
ghostscript-8.63-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ghostscript-8.63-3.fc9
---
ghostscript-8.63-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ghostscript various flaws [F10]
bugzilla·2009-04-15·CVSS 5.0
CVE-2008-6679 [MEDIUM] CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ghostscript various flaws [F10]
CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ghostscript various flaws [F10]
F10 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
*** Bug 480775 has been marked as a duplicate of this bug. ***
---
ghostscript-8.63-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ghostscript-8.63-6.fc10
---
ghostscript-8.63-6.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059439.htmlhttp://securityreason.com/securityalert/3539http://securityvulns.ru/Sdocument762.htmlhttp://securityvulns.ru/Sdocument768.htmlhttp://securityvulns.ru/Sdocument772.htmlhttp://securityvulns.ru/Sdocument773.htmlhttp://websecurity.com.ua/1679/http://websecurity.com.ua/1683/http://websecurity.com.ua/1686/http://websecurity.com.ua/1687/http://www.securityfocus.com/archive/1/485786/100/0/threadedhttp://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059439.htmlhttp://securityreason.com/securityalert/3539http://securityvulns.ru/Sdocument762.htmlhttp://securityvulns.ru/Sdocument768.htmlhttp://securityvulns.ru/Sdocument772.htmlhttp://securityvulns.ru/Sdocument773.htmlhttp://websecurity.com.ua/1679/http://websecurity.com.ua/1683/http://websecurity.com.ua/1686/http://websecurity.com.ua/1687/http://www.securityfocus.com/archive/1/485786/100/0/threaded
2008-01-10
Published