Unauthenticated Arbitrary File Read Vulnerability Affects Advanced Access Manager Plugin
CVE-2019-25213

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security And More
Vendor: CVE Published:; 16 October 2024

Summary

The Advanced Access Manager plugin for WordPress features a vulnerability that enables unauthenticated attackers to perform arbitrary file read operations. This issue arises from inadequate validation of user input in the aam-media parameter. Exploiting this vulnerability allows malicious entities to access sensitive files on the server, such as wp-config.php, which can contain critical configuration details. Webmasters using this plugin should take immediate action to update to a secure version, ensuring their site remains protected from potential data leaks that could compromise user data and overall security.

Affected Version(s)

Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More * < 5.9.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2098838/adva...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

Ov3rfly