CVE-2017-14719
published 2017-09-23CVE-2017-14719: Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
PriorityP349high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
13.38%
95.9th percentile
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
Affected
207 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 4.8.2+dfsg-1 (bookworm) | wordpress 4.8.2+dfsg-1 (bookworm) |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in WordPress versions before 4.8.2 in the ZipArchive and PclZip components during unzip operations; monitor for directory traversal sequences (e.g., '../') within uploaded ZIP archive file paths/entries
- ·Vulnerability is scoped as local; exploitation requires the ability to trigger unzip operations (e.g., plugin/theme upload), limiting remote attack surface ↗
- ·Fixed in WordPress 4.8.2 and Debian package 4.8.2+dfsg-1 across all tracked Debian releases; ensure upgrade to at least this version ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8rmg-wmq4-q93v: Before version 4
ghsa_unreviewed·2022-05-17
CVE-2017-14719 [HIGH] CWE-22 GHSA-8rmg-wmq4-q93v: Before version 4
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
OSV
CVE-2017-14719: Before version 4
osv·2017-09-23·CVSS 7.5
CVE-2017-14719 [HIGH] CVE-2017-14719: Before version 4
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
Debian
CVE-2017-14719: wordpress - Before version 4.8.2, WordPress was vulnerable to a directory traversal attack d...
vendor_debian·2017·CVSS 7.5
CVE-2017-14719 [HIGH] CVE-2017-14719: wordpress - Before version 4.8.2, WordPress was vulnerable to a directory traversal attack d...
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
Scope: local
bookworm: resolved (fixed in 4.8.2+dfsg-1)
bullseye: resolved (fixed in 4.8.2+dfsg-1)
forky: resolved (fixed in 4.8.2+dfsg-1)
sid: resolved (fixed in 4.8.2+dfsg-1)
trixie: resolved (fixed in 4.8.2+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/100912http://www.securitytracker.com/id/1039553https://core.trac.wordpress.org/changeset/41457https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/https://wpvulndb.com/vulnerabilities/8911https://www.debian.org/security/2017/dsa-3997http://www.securityfocus.com/bid/100912http://www.securitytracker.com/id/1039553https://core.trac.wordpress.org/changeset/41457https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/https://wpvulndb.com/vulnerabilities/8911https://www.debian.org/security/2017/dsa-3997
2017-09-23
Published