cbcvebase.
CVE-2023-2688
published 2023-06-09

CVE-2023-2688: The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4.19.1 via the…

PriorityP430medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
1.74%
74.8th percentile
The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4.19.1 via the vulnerable parameter wfu_newpath. This allows administrator-level attackers to move files uploaded with the plugin (located in wp-content/uploads by default) outside of the web root.

Affected

3 ranges
VendorProductVersion rangeFixed in
iptanuswordpress_file_upload<= 4.19.1
iptanuswordpress_file_upload_pro<= 4.19.1
nickbossiptanus_file_upload<= 4.19.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.