CVE-2018-1000504

Redirection <= 2.7.3 - Local File Inclusion

highImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

7.2

CVSS Score

7.2

CVSS Score

high

Severity

2.8

Patched in

2021d

Time to patch

Description

Redirection version 2.7.3 contains a ACE via file inclusion vulnerability in Pass-through mode that can result in allows admins to execute any PHP file in the filesystem. This attack appear to be exploitable via Attacker must be have access to an admin account on the target site. This vulnerability appears to have been fixed in 2.8.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

High

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions<=2.7.3

PublishedJuly 12, 2018

Last updatedJanuary 22, 2024

Affected pluginredirection

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/6e81cbe3-1310-4f6f-ae42-8d09b321657a?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database