WordPress Vulnerabilities

WordPress 4.4-4.8.1 - Path Traversal in Customizer

Description

A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.

Affects WordPress

4.7
Fixed in WordPress 4.7.6
4.7.1
Fixed in WordPress 4.7.6
4.7.2
Fixed in WordPress 4.7.6
4.7.3
Fixed in WordPress 4.7.6
4.7.4
Fixed in WordPress 4.7.6
4.7.5
Fixed in WordPress 4.7.6
4.8
Fixed in WordPress 4.8.2
4.8.1
Fixed in WordPress 4.8.2

References

CVE
CVE-2017-14722
URL
https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
URL
https://core.trac.wordpress.org/changeset/41397

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
6ef4eb23-d5a9-44b3-8402-f4b7b1a91522

Timeline

Publicly Published
2017-09-19 (about 6 years ago)
Added
2017-09-25 (about 6 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2024-05-02
Title
CAS <= 1.0.0 - Unauthenticated Arbitrary File Access
Published
2015-08-02
Title
simple-image-manipulator <= 1.0 - Remote File Download
Published
2014-08-01
Title
UnGallery <= 1.5.8 - Local File Disclosure
Published
2014-12-07
Title
ChurcHope Theme <= 2.1 - Local File Inclusion (LFI)
Published
2021-04-05
Title
Tutor LMS < 1.8.8 - Authenticated Local File Inclusion