// For flags

CVE-2015-10105

IP Blacklist Cloud Plugin CSV File Import ip_blacklist_cloud.php valid_js_identifier path traversal

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A vulnerability, which was classified as critical, was found in IP Blacklist Cloud Plugin up to 3.42 on WordPress. This affects the function valid_js_identifier of the file ip_blacklist_cloud.php of the component CSV File Import. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. Upgrading to version 3.43 is able to address this issue. The identifier of the patch is 6e6fe8c6fda7cbc252eef083105e08d759c07312. It is recommended to upgrade the affected component. The identifier VDB-227757 was assigned to this vulnerability.

Es wurde eine kritische Schwachstelle in IP Blacklist Cloud Plugin bis 3.42 für WordPress gefunden. Es geht dabei um die Funktion valid_js_identifier der Datei ip_blacklist_cloud.php der Komponente CSV File Import. Mit der Manipulation des Arguments filename mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Ein Aktualisieren auf die Version 3.43 vermag dieses Problem zu lösen. Der Patch wird als 6e6fe8c6fda7cbc252eef083105e08d759c07312 bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

The IP Blacklist Cloud plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 3.42 via the 'filename' parameter. This allows authenticated attackers, with administrative privileges, to read arbitrary files on the server that may contain sensitive information.

*Credits: VulDB GitHub Commit Analyzer
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2015-03-07 CVE Published
  • 2023-04-29 CVE Reserved
  • 2024-11-22 CVE Updated
  • 2024-12-20 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ip-finder
Search vendor "Ip-finder"
Ip Blacklist Cloud
Search vendor "Ip-finder" for product "Ip Blacklist Cloud"
<= 3.42
Search vendor "Ip-finder" for product "Ip Blacklist Cloud" and version " <= 3.42"
wordpress
Affected