CVE-2024-7626
WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) <= 1.6.9 - Improper Path Validation to Authenticated (Subscriber+) Arbitrary File Move and Read
highExternal Control of File Name or Path
8.1
CVSS Score
8.1
CVSS Score
high
Severity
1.7.0
Patched in
1d
Time to patch
Description
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NAttack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
None
Availability
Technical Details
Affected versions
<=1.6.9PublishedSeptember 10, 2024
Last updatedSeptember 11, 2024
Affected plugindelicious-recipes
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.