WordPress Directory traversal

OWASP 2013-A9 OWASP 2017-A9 OWASP 2021-A6 CAPEC-213 CWE-22 WASC-33 WSTG-ATHZ-01

The server that is uses a vulnerable version of WordPress(3.0-4.8.1) that allows a Path Traversal in Unzipping attack. This vulnerability is seen during unzip operations in the ZipArchive and PclZip components. This vulnerability allows attackers to overwrite arbitrary files. This is achieved via invalid characters between two dot characters. Properly controlling access to web content is important for running a secure web server. Directory traversal is a HTTP attack that allows attackers to access restricted directories. It also executes commands outside of the web server’s root directory. The access to files is not limited by system operational access control. This leads to Directory traversal attacks, that aims to access files and directories that are stored outside the web root folder.

Impact and Fixes

Latest Articles