CVE-2023-2688
published 2023-06-09CVE-2023-2688: The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4.19.1 via the…
PriorityP430medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
1.74%
74.8th percentile
The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4.19.1 via the vulnerable parameter wfu_newpath. This allows administrator-level attackers to move files uploaded with the plugin (located in wp-content/uploads by default) outside of the web root.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iptanus | wordpress_file_upload | <= 4.19.1 | — |
| iptanus | wordpress_file_upload_pro | <= 4.19.1 | — |
| nickboss | iptanus_file_upload | <= 4.19.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
File Upload Plugin/File Upload Pro Plugin up to 4.19.1 on WordPress path traversal
vuldb·2026-04-10·CVSS 4.9
CVE-2023-2688 [MEDIUM] File Upload Plugin/File Upload Pro Plugin up to 4.19.1 on WordPress path traversal
A vulnerability categorized as critical has been discovered in File Upload Plugin and File Upload Pro Plugin up to 4.19.1 on WordPress. Affected by this vulnerability is an unknown functionality. Such manipulation leads to path traversal.
This vulnerability is referenced as CVE-2023-2688. It is possible to launch the attack remotely. No exploit is available.
GHSA
GHSA-9f3m-9cwg-r3h9: The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4
ghsa_unreviewed·2023-06-09
CVE-2023-2688 [MEDIUM] CWE-22 GHSA-9f3m-9cwg-r3h9: The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4
The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4.19.1 via the vulnerable parameter wfu_newpath. This allows administrator-level attackers to move files uploaded with the plugin (located in wp-content/uploads by default) outside of the web root.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2915978%40wp-file-upload%2Ftrunk&old=2909107%40wp-file-upload%2Ftrunk&sfp_email=&sfph_mail=#file2https://www.wordfence.com/threat-intel/vulnerabilities/id/abd6eeac-0a7e-4762-809f-593cd85f303d?source=cvehttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2915978%40wp-file-upload%2Ftrunk&old=2909107%40wp-file-upload%2Ftrunk&sfp_email=&sfph_mail=#file2https://www.wordfence.com/threat-intel/vulnerabilities/id/abd6eeac-0a7e-4762-809f-593cd85f303d?source=cve
2023-06-09
Published