Search criteria
3 vulnerabilities found for Download Plugins and Themes from Dashboard by WPFactory LLC
CVE-2024-35162 (GCVE-0-2024-35162)
Vulnerability from cvelistv5 – Published: 2024-05-22 05:30 – Updated: 2024-08-12 15:53
VLAI?
Summary
Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the server.
Severity ?
6.5 (Medium)
CWE
- Path traversal
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPFactory LLC | Download Plugins and Themes from Dashboard |
Affected:
prior to 1.8.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/download-plugins-dashboard/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN85380030/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpfactory:download_plugins_and_themes_from_dashboard:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "download_plugins_and_themes_from_dashboard",
"vendor": "wpfactory",
"versions": [
{
"lessThan": "1.8.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:44:32.221314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T15:53:54.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Download Plugins and Themes from Dashboard",
"vendor": "WPFactory LLC",
"versions": [
{
"status": "affected",
"version": "prior to 1.8.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with \"switch_themes\" privilege may obtain arbitrary files on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T05:30:33.065Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/plugins/download-plugins-dashboard/"
},
{
"url": "https://jvn.jp/en/jp/JVN85380030/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-35162",
"datePublished": "2024-05-22T05:30:33.065Z",
"dateReserved": "2024-05-10T01:34:22.893Z",
"dateUpdated": "2024-08-12T15:53:54.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35162 (GCVE-0-2024-35162)
Vulnerability from nvd – Published: 2024-05-22 05:30 – Updated: 2024-08-12 15:53
VLAI?
Summary
Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the server.
Severity ?
6.5 (Medium)
CWE
- Path traversal
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPFactory LLC | Download Plugins and Themes from Dashboard |
Affected:
prior to 1.8.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/download-plugins-dashboard/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN85380030/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpfactory:download_plugins_and_themes_from_dashboard:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "download_plugins_and_themes_from_dashboard",
"vendor": "wpfactory",
"versions": [
{
"lessThan": "1.8.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:44:32.221314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T15:53:54.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Download Plugins and Themes from Dashboard",
"vendor": "WPFactory LLC",
"versions": [
{
"status": "affected",
"version": "prior to 1.8.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with \"switch_themes\" privilege may obtain arbitrary files on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T05:30:33.065Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/plugins/download-plugins-dashboard/"
},
{
"url": "https://jvn.jp/en/jp/JVN85380030/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-35162",
"datePublished": "2024-05-22T05:30:33.065Z",
"dateReserved": "2024-05-10T01:34:22.893Z",
"dateUpdated": "2024-08-12T15:53:54.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2024-000049
Vulnerability from jvndb - Published: 2024-05-17 13:33 - Updated:2024-05-17 13:33
Severity ?
Summary
WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal
Details
WordPress Plugin "Download Plugins and Themes from Dashboard" provided by WPFactory LLC contains a path traversal vulnerability (CWE-22).
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to WPFactory LLC and coordinated. After the coordination was completed, this case was reported to IPA under Information Security Early Warning Partnership, and JPCERT/CC coordinated with the developer for publishing of this advisory.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000049.html",
"dc:date": "2024-05-17T13:33+09:00",
"dcterms:issued": "2024-05-17T13:33+09:00",
"dcterms:modified": "2024-05-17T13:33+09:00",
"description": "WordPress Plugin \"Download Plugins and Themes from Dashboard\" provided by WPFactory LLC contains a path traversal vulnerability (CWE-22).\r\n\r\nGen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to WPFactory LLC and coordinated. After the coordination was completed, this case was reported to IPA under Information Security Early Warning Partnership, and JPCERT/CC coordinated with the developer for publishing of this advisory.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000049.html",
"sec:cpe": {
"#text": "cpe:/a:misc:wpfactory_download_plugins_and_themes_from_dashboard",
"@product": "Download Plugins and Themes from Dashboard",
"@vendor": "WPFactory LLC",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.7",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000049",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN85380030/index.html",
"@id": "JVN#85380030",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-35162",
"@id": "CVE-2024-35162",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
}
],
"title": "WordPress Plugin \"Download Plugins and Themes from Dashboard\" vulnerable to path traversal"
}