All the vulnerabilites related to WPFactory LLC - Download Plugins and Themes from Dashboard
cve-2024-35162
Vulnerability from cvelistv5
Published
2024-05-22 05:30
Modified
2024-08-12 15:53
Severity ?
EPSS score ?
Summary
Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the server.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WPFactory LLC | Download Plugins and Themes from Dashboard |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/download-plugins-dashboard/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN85380030/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpfactory:download_plugins_and_themes_from_dashboard:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "download_plugins_and_themes_from_dashboard",
"vendor": "wpfactory",
"versions": [
{
"lessThan": "1.8.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:44:32.221314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T15:53:54.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Download Plugins and Themes from Dashboard",
"vendor": "WPFactory LLC",
"versions": [
{
"status": "affected",
"version": "prior to 1.8.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with \"switch_themes\" privilege may obtain arbitrary files on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T05:30:33.065Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/plugins/download-plugins-dashboard/"
},
{
"url": "https://jvn.jp/en/jp/JVN85380030/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-35162",
"datePublished": "2024-05-22T05:30:33.065Z",
"dateReserved": "2024-05-10T01:34:22.893Z",
"dateUpdated": "2024-08-12T15:53:54.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2024-000049
Vulnerability from jvndb
Published
2024-05-17 13:33
Modified
2024-05-17 13:33
Severity ?
Summary
WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal
Details
WordPress Plugin "Download Plugins and Themes from Dashboard" provided by WPFactory LLC contains a path traversal vulnerability (CWE-22).
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to WPFactory LLC and coordinated. After the coordination was completed, this case was reported to IPA under Information Security Early Warning Partnership, and JPCERT/CC coordinated with the developer for publishing of this advisory.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN85380030/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-35162 | |
| Path Traversal(CWE-22) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| WPFactory LLC | Download Plugins and Themes from Dashboard |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000049.html",
"dc:date": "2024-05-17T13:33+09:00",
"dcterms:issued": "2024-05-17T13:33+09:00",
"dcterms:modified": "2024-05-17T13:33+09:00",
"description": "WordPress Plugin \"Download Plugins and Themes from Dashboard\" provided by WPFactory LLC contains a path traversal vulnerability (CWE-22).\r\n\r\nGen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to WPFactory LLC and coordinated. After the coordination was completed, this case was reported to IPA under Information Security Early Warning Partnership, and JPCERT/CC coordinated with the developer for publishing of this advisory.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000049.html",
"sec:cpe": {
"#text": "cpe:/a:misc:wpfactory_download_plugins_and_themes_from_dashboard",
"@product": "Download Plugins and Themes from Dashboard",
"@vendor": "WPFactory LLC",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.7",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000049",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN85380030/index.html",
"@id": "JVN#85380030",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-35162",
"@id": "CVE-2024-35162",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
}
],
"title": "WordPress Plugin \"Download Plugins and Themes from Dashboard\" vulnerable to path traversal"
}