CVE-2019-25295
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Summary
The WP Cost Estimation plugin for WordPress is vulnerable to Upload Directory Traversal in versions before 9.660 via the uploadFormFiles function. This allows attackers to overwrite any file with a whitelisted type on an affected site.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| loopus | WP Cost Estimation & Payment Forms Builder | 0 < 9.660 | affected |
Weaknesses
- CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/65a9e877-e870-4e36-985d-c0629abe3f78?source=cve
- https://www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/
- https://codecanyon.net/item/wp-cost-estimation-payment-forms-builder/7818230
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.