mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.
References
Link | Resource |
---|---|
https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/ | Exploit Third Party Advisory URL Repurposed |
https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/ | Exploit Third Party Advisory URL Repurposed |
Configurations
History
21 Nov 2024, 05:14
Type | Values Removed | Values Added |
---|---|---|
References | () https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/ - Exploit, Third Party Advisory, URL Repurposed |
14 Feb 2024, 01:17
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/ - Exploit, Third Party Advisory, URL Repurposed |
Information
Published : 2020-08-26 13:15
Updated : 2024-11-21 05:14
NVD link : CVE-2020-24312
Mitre link : CVE-2020-24312
CVE.ORG link : CVE-2020-24312
JSON object : View
Products Affected
webdesi9
- file_manager
CWE
CWE-552
Files or Directories Accessible to External Parties