CVE-2024-9546 – WPIDE <= 3.4.9 - Unauthenticated Full Path Dislcosure
https://notcve.org/view.php?id=CVE-2024-9546
The WPIDE – File Manager & Code Editor plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.9. This is due to the plugin utilizing the PHP-Parser library, which outputs parser rebuild command execution results. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. • https://plugins.trac.wordpress.org/browser/wpide/tags/3.4.9/vendor/nikic/php-parser/grammar/rebuildParsers.php#L77 https://www.wordfence.com/threat-intel/vulnerabilities/id/e884af8b-c83f-4380-bfaf-f1419fce125c?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-35235 – WordPress WPide plugin <= 2.6 - Authenticated Arbitrary File Read vulnerability
https://notcve.org/view.php?id=CVE-2022-35235
Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThemes WPide plugin <= 2.6 at WordPress. Una vulnerabilidad de Lectura Arbitraria de Archivos Autenticada (admin+) en el plugin WPide de XplodedThemes versiones anteriores a 2.6 incluyéndola, en WordPress. The plugin WPide for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 2.6. This makes it possible for authenticated users, with administrative privileges or higher, to read any file on the server. • https://patchstack.com/database/vulnerability/wpide/wordpress-wpide-plugin-2-6-authenticated-arbitrary-file-read-vulnerability https://wordpress.org/plugins/wpide/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •