Remote File Reading Vulnerability in WP-DBManager Plugin from WordPress
CVE-2014-8336

6.5MEDIUM

Key Information:

Vendor
Wordpress
Status
WP-dbmanager
Vendor
CVE Published:
5 January 2018

Summary

The WP-DBManager plugin for WordPress contains a vulnerability that allows remote attackers to access arbitrary files on the server. This flaw arises due to insufficient query limitations in the 'Sql Run Query' panel, enabling unauthorized use of the LOAD_FILE function within an INSERT statement. As a result, attackers could exploit this weakness to read sensitive files from the server, posing a significant security risk to WordPress websites.

References

https://github.com/lesterchan/wp-dbmanager/commit/7037fa8...
x_refsource_CONFIRM
http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-...
x_refsource_MISC
https://exchange.xforce.ibmcloud.com/vulnerabilities/97694
vdb-entryx_refsource_XF

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.