cbcvebase.
CVE-2017-14719
published 2017-09-23

CVE-2017-14719: Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.

PriorityP349high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
13.38%
95.9th percentile
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.

Affected

207 ranges· showing 25
VendorProductVersion rangeFixed in
debianwordpress< wordpress 4.8.2+dfsg-1 (bookworm)wordpress 4.8.2+dfsg-1 (bookworm)
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in WordPress versions before 4.8.2 in the ZipArchive and PclZip components during unzip operations; monitor for directory traversal sequences (e.g., '../') within uploaded ZIP archive file paths/entries
  • ·Vulnerability is scoped as local; exploitation requires the ability to trigger unzip operations (e.g., plugin/theme upload), limiting remote attack surface
  • ·Fixed in WordPress 4.8.2 and Debian package 4.8.2+dfsg-1 across all tracked Debian releases; ensure upgrade to at least this version

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.