4.9
CVE-2023-2688
- EPSS 0.2%
- Veröffentlicht 09.06.2023 06:16:11
- Zuletzt bearbeitet 08.04.2026 19:18:17
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginWordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Path Traversal
The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4.19.1 via the vulnerable parameter wfu_newpath. This allows administrator-level attackers to move files uploaded with the plugin (located in wp-content/uploads by default) outside of the web root.
Mögliche Gegenmaßnahme
WordPress File Upload Pro: Update to version 4.19.2, or a newer patched version
Iptanus File Upload: Update to version 4.19.2, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WordPress File Upload Pro
Version
*-4.19.1
SystemWordPress Plugin
≫
Produkt
Iptanus File Upload
Version
*-4.19.1
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Iptanus ≫ Wordpress File Upload SwPlatformwordpress Version <= 4.19.1
Iptanus ≫ Wordpress File Upload Pro SwPlatformwordpress Version <= 4.19.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.415 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.9 | 1.2 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
|
| security@wordfence.com | 4.9 | 1.2 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.