5.3

CVE-2024-2920

WP-Members Membership Plugin <= 3.4.9.3 - Unprotected Storage of Potentially Sensitive Files

WP-Members Membership Plugin <= 3.4.9.3 - Unprotected Storage of Potentially Sensitive Files

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.4.9.3 due to the plugin uploading user supplied files to a publicly accessible directory in wp-content without any restrictions. This makes it possible for unauthenticated attackers to view files uploaded by other users which may contain sensitive information.
Mögliche Gegenmaßnahme
WP-Members Membership Plugin: Update to version 3.4.9.4, or a newer patched version
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellercbutlerjr
Produkt WP-Members Membership Plugin
Default Statusunaffected
Version <= 3.4.9.3
Version 0
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt WP-Members Membership Plugin
Version *-3.4.9.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.5% 0.385
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@wordfence.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3074215%40wp-members&new=3074215%40wp-members&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/4319fa2e-8826-4100-9156-cbe80582367e?source=cve
https://www.wordfence.com/threat-intel/vulnerabilities/id/4319fa2e-8826-4100-9156-cbe80582367e
Third Party Advisory