WF-aee59a8f-7f21-4572-b146-ab1b6350ddb1-wp-hide-security-enhancer

WP Hide & Security Enhancer <= 1.3.9.2 - Arbitrary File Download

highFiles or Directories Accessible to External Parties

7.5

CVSS Score

7.5

CVSS Score

high

Severity

1.4

Patched in

2377d

Time to patch

Description

The WP Hide & Security Enhancer plugin for WordPress is vulnerable to Arbitrary File Download in versions before 1.4. This is due to insufficient validation on the file path supplied via the 'file_path' parameter. This makes it possible for attackers to arbitrarily download files such as the wp-config.php file.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

High

Confidentiality

None

Integrity

None

Availability

Technical Details

Affected versions<=1.3.9.2

PublishedJuly 21, 2017

Last updatedJanuary 22, 2024

Affected pluginwp-hide-security-enhancer

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/aee59a8f-7f21-4572-b146-ab1b6350ddb1?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database