CVE-2017-11658
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
26/07/2017
Last modified:
20/04/2025
Description
In the WP Rocket plugin 2.9.3 for WordPress, the Local File Inclusion mitigation technique is to trim traversal characters (..) -- however, this is insufficient to stop remote attacks and can be bypassed by using 0x00 bytes, as demonstrated by a .%00.../.%00.../ attack.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:wp-rocket:wp-rocket:1.3.0:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:1.3.1:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:1.3.2:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:1.3.3:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:1.3.4:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:1.3.5:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:1.3.6:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:1.3.7:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:2.0.0:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:2.0.1:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:2.0.2:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:2.0.3:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:2.0.4:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:2.0.5:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:wp-rocket:wp-rocket:2.1.0:*:*:*:*:wordpress:*:* |
To consult the complete list of CPE names with products and versions, see this page