Description
Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a .. (dot dot) in the fm_selected array parameter.
Remediation
References
Related Vulnerabilities
WordPress Plugin Velvet Blues Update URLs Unspecified Vulnerability (2.1)
WordPress Plugin WooCommerce Cross-Site Scripting (2.6.8)
WordPress Plugin Chained Quiz Cross-Site Scripting (1.1.8.1)
WordPress Plugin Top 10-Popular posts for WordPress SQL Injection (2.4.3)
WordPress Plugin Drag and Drop Multiple File Upload-Contact Form 7 Arbitrary File Upload (1.3.5.4)