CVE-2024-5852

CWE-22 — Path Traversal3 documents3 sources

Severity

4.3MEDIUM

EPSS

0.5%

top 32.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Iptanus Wordpress File Upload Nickboss Iptanus File Upload

Timeline

PublishedJul 16

Description

The WordPress File Upload plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.24.7 via the 'uploadpath' parameter of the wordpress_file_upload shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files to arbitrary locations on the web server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDiptanus/wordpress_file_upload< 4.24.8

▶CVEListV5nickboss/iptanus_file_upload4.24.7

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-8j2w-hc9h-wm6f: The WordPress File Upload plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4↗2024-07-16

▶

CVEList

WordPress File Upload <= 4.24.7 - Authenticated (Contributor+) Directory Traversal↗2024-07-16

▶