CVE-2023-2688
Severity
4.9MEDIUM
EPSS
0.2%
top 58.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 9
Latest updateApr 10
Description
The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4.19.1 via the vulnerable parameter wfu_newpath. This allows administrator-level attackers to move files uploaded with the plugin (located in wp-content/uploads by default) outside of the web root.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6
Affected Packages4 packages
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-9f3m-9cwg-r3h9: The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4↗2023-06-09
CVEList▶
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Path Traversal↗2023-06-09