cbcvebase.
CVE-2015-5065
published 2015-06-24

CVE-2015-5065: Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for…

PriorityP271medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.32%
96.6th percentile
Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read arbitrary files via a full pathname in the requrl parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
intelligent-itpaypal_currency_converter_basic_for_woocommerce< 1.41.4

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php
filenameproxy.php
urlhttp://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
  • Monitor HTTP requests targeting proxy.php in the paypal-currency-converter-basic-for-woocommerce plugin path with a 'requrl' parameter containing an absolute file path (e.g., starting with '/').
  • Use the Google dork 'inurl:"paypal-currency-converter-basic-for-woocommerce"' to identify exposed vulnerable installations.
  • The vulnerable parameter is 'requrl'; flag any request where its value is a full/absolute pathname rather than a remote URL.
  • ·The vulnerability allows reading of non-executed local files (e.g., HTML, config files), but files executed server-side (e.g., PHP) are not returned as source — limiting but not eliminating the attack surface.
  • ·Only plugin versions before 1.4 are vulnerable; version 1.4 and later contain the fix.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.