Vulnerabilities > CVE-2021-24154 - Files or Directories Accessible to External Parties vulnerability in Themeeditor Theme Editor

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

themeeditor

CWE-552

NVD

Published: 2021-04-05

Updated: 2021-04-19

Summary

The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd

Vulnerable Configurations

Part	Description	Count
Application	Themeeditor Themeeditor Theme Editor *	1

Common Weakness Enumeration (CWE)

CWE-552 - Files or Directories Accessible to External Parties

References

https://wpscan.com/vulnerability/566c6836-fc3d-4dd9-b351-c3d9da9ec22e