CVE-2024-12719

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
07/01/2025
Last modified:
13/03/2025

Description

The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wfu_ajax_action_read_subfolders' function in all versions up to, and including, 4.24.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform limited path traversal to view directories and subdirectories in WordPress. Files cannot be viewed.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:iptanus:wordpress_file_upload:*:*:*:*:*:wordpress:*:* 4.25.0 (excluding)