cbcvebase.
CVE-2015-5471
published 2016-01-12

CVE-2015-5471: Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary…

PriorityP275medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
32.71%
98.1th percentile
Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
swim_team_projectswim_team

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/wp-swimteam/include/user/download.php
url{{BaseURL}}/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress
  • Monitor HTTP GET requests to /wp-content/plugins/wp-swimteam/include/user/download.php with a 'file' parameter containing absolute paths (e.g., /etc/passwd). The endpoint is unauthenticated and does not sanitize the 'file', 'filename', or 'contenttype' parameters.
  • Alert on query strings containing 'transient=1' and 'abspath=' alongside a 'file=' parameter pointing to system paths in requests to the wp-swimteam download.php endpoint.
  • Use the Google dork inurl:"/wp-content/plugins/wp-swimteam" to identify exposed WordPress instances running the vulnerable plugin.
  • Responses containing the pattern 'root:[x*]:0:0' in the body of a 200 OK response to the download.php endpoint confirm successful exploitation.
  • ·The vulnerability exists in Swim Team plugin version 1.44.10777 only; version 1.45beta3 and later include a fix. Detections should be scoped to installations running the vulnerable version.
  • ·The 'file' parameter value is URL-decoded before being passed to fopen(), so URL-encoded path traversal sequences (e.g., %2F) may bypass naive string-matching detections.

CVSS provenance

nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.