almosteffortless secure-files Plugin secure-files.php sf_downloads path traversal
CVE-2005-10002

9.8CRITICAL

Key Information:

Vendor
Wordpress
Status
secure-files Plugin
Vendor
CVE Published:
29 October 2023

Summary

A vulnerability exists in the almosteffortless secure-files Plugin for WordPress, specifically in the sf_downloads function within secure-files.php. This vulnerability occurs due to improper handling of the downloadfile argument, allowing an attacker to exploit path traversal and access unintended files on the server. Users are strongly advised to update to version 1.2 or later, which resolves this issue with a specified patch. Regular updates and monitoring are essential to maintain security against such vulnerabilities.

Affected Version(s)

secure-files Plugin 1.0

secure-files Plugin 1.1

References

https://vuldb.com/?id.243804
vdb-entrytechnical-description
https://vuldb.com/?ctiid.243804
signaturepermissions-required
https://github.com/wp-plugins/secure-files/commit/cab025e...
patch

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

VulDB GitHub Commit Analyzer
.