CVE-2024-9939

CWE-22 — Path Traversal3 documents3 sources

Severity

7.5HIGH

EPSS

2.0%

top 16.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Iptanus Wordpress File Upload Nickboss Iptanus File Upload

Timeline

PublishedJan 8

Description

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.13 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read files outside of the originally intended directory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDiptanus/wordpress_file_upload< 4.24.14

▶CVEListV5nickboss/iptanus_file_upload4.24.13

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

WordPress File Upload <= 4.24.13 - Unauthenticated Path Traversal to Arbitrary File Read in wfu_file_downloader.php↗2025-01-08

▶

GHSA

GHSA-h69h-rp3c-hvh5: The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4↗2025-01-08

▶