Description

WordPress Plugin WP Editor is prone to multiple vulnerabilities, including arbitrary file modification and arbitrary file disclosure vulnerability. An attacker can exploit these vulnerabilities to modify local files in the context of the web server process, which may result in privilege escalation, or to view local files (eg. server configuration), which may aid in launching further attacks. WordPress Plugin WP Editor version 1.2.5.3 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.2.6 or latest

References

https://www.pluginvulnerabilities.com/2016/05/12/authenticated-file-modification-vulnerability-in-wp-editor/

https://www.pluginvulnerabilities.com/2016/05/13/authenticated-file-viewing-vulnerability-in-wp-editor/

https://wordpress.org/plugins/wp-editor/changelog/

Related Vulnerabilities

osCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-5111)

WordPress Plugin Anti-Malware Security and Brute-Force Firewall Local File Inclusion (4.18.63)

Apache HTTP Server Improper Locking Vulnerability (CVE-2009-2699)

WordPress Plugin MiniMax-Page Layout Builder Cross-Site Scripting (1.3.4)

Ruby on Rails Inefficient Regular Expression Complexity Vulnerability (CVE-2023-22792)

Severity

High

Classification

CWE-22 CWE-88 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update