• WordPress is prone to a directory traversal vulnerability because it fails to sufficiently verify user-supplied input data. Exploiting this issue may allow an attacker to access sensitive information that could aid in further attacks or to cause the affected website to consume resources, thus denying service to legitimate users. WordPress version 4.5.3 is vulnerable.

• Update to WordPress version 4.6 or latest

• • https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
  • https://www.exploit-db.com/exploits/40288/
  • https://packetstormsecurity.com/files/138457/WordPress-4.5.3-Core-Ajax-Handlers-Path-Traversal.html
  • https://core.trac.wordpress.org/ticket/37490
  • http://seclists.org/oss-sec/2016/q3/347

• 

• CVE-2016-6896

  CVE-2016-10148

• CWE-22

• Missing Update Directory Traversal

• WordPress Plugin Appointment Booking Calendar Multiple Vulnerabilities (1.1.7)
• WordPress Plugin Paid Memberships Pro Directory Traversal (1.7.14.2)
• WordPress Plugin NextGEN Gallery-WordPress Gallery Cross-Site Scripting (2.2.10)
• WordPress Plugin WP Clone by WP Academy Cross-Site Scripting (2.1.1)
• WordPress Plugin WP-Piwik Cross-Site Scripting (1.0.10)