CVE-2019-25213

The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media parameter. This allows unauthenticated attackers to read any file on the server, including sensitive files such as wp-config.php
Configurations

Configuration 1 (hide)

cpe:2.3:a:vasyltech:advanced_access_manager:*:*:*:*:*:wordpress:*:*

History

30 Oct 2024, 18:20

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:vasyltech:advanced_access_manager:*:*:*:*:*:wordpress:*:*
References () https://plugins.trac.wordpress.org/changeset/2098838/advanced-access-manager/trunk/application/Core/Media.php?old=2151316&old_path=advanced-access-manager%2Ftrunk%2Fapplication%2FCore%2FMedia.php - () https://plugins.trac.wordpress.org/changeset/2098838/advanced-access-manager/trunk/application/Core/Media.php?old=2151316&old_path=advanced-access-manager%2Ftrunk%2Fapplication%2FCore%2FMedia.php - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/55e0f0df-7be2-4e18-988c-2cc558768eff?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/55e0f0df-7be2-4e18-988c-2cc558768eff?source=cve - Third Party Advisory
First Time Vasyltech advanced Access Manager
Vasyltech

16 Oct 2024, 16:38

Type Values Removed Values Added
Summary
  • (es) El complemento Advanced Access Manager para WordPress es vulnerable a la lectura arbitraria de archivos sin autenticación en versiones hasta la 5.9.8.1 incluida debido a una validación insuficiente en el parámetro aam-media. Esto permite a atacantes sin autenticación leer cualquier archivo en el servidor, incluidos archivos confidenciales como wp-config.php

16 Oct 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-16 07:15

Updated : 2024-10-30 18:20


NVD link : CVE-2019-25213

Mitre link : CVE-2019-25213

CVE.ORG link : CVE-2019-25213


JSON object : View

Products Affected

vasyltech

  • advanced_access_manager
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')