CVE-2024-35162 – Download Plugins and Themes from Dashboard <= 1.8.5 - Authenticated (Admin+) Arbitrary File Download

https://notcve.org/view.php?id=CVE-2024-35162

Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the server. La vulnerabilidad de Path traversal existe en las versiones de Download Plugins and Themes from Dashboard anteriores a la 1.8.6. Si se explota esta vulnerabilidad, un atacante remoto autenticado con privilegio "switch_themes" puede obtener archivos arbitrarios en el servidor. The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.5 via the download_theme function. • https://jvn.jp/en/jp/JVN85380030 https://wordpress.org/plugins/download-plugins-dashboard • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •