1 results (0.005 seconds)

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd El plugin Theme Editor de WordPress versiones anteriores a 2.6, no comprobaba el parámetro de archivo GET antes de pasarlo a la función download_file(), permitiendo a administradores descargar archivos arbitrarios en el servidor web, como /etc/passwd • https://wpscan.com/vulnerability/566c6836-fc3d-4dd9-b351-c3d9da9ec22e • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •