CVE-2024-32111

Summary

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40.

Affected Software

VendorProductVersion RangeStatus
AutomatticWordPress6.5 <= 6.5.4affected
AutomatticWordPress6.4 <= 6.4.4affected
AutomatticWordPress6.3 <= 6.3.4affected
AutomatticWordPress6.2 <= 6.2.5affected
AutomatticWordPress6.1 <= 6.1.6affected
AutomatticWordPress6.0 <= 6.0.8affected
AutomatticWordPress5.9 <= 5.9.9affected
AutomatticWordPress5.8 <= 5.8.9affected
AutomatticWordPress5.7 <= 5.7.11affected
AutomatticWordPress5.6 <= 5.6.13affected
AutomatticWordPress5.5 <= 5.5.14affected
AutomatticWordPress5.4 <= 5.4.15affected
AutomatticWordPress5.3 <= 5.3.17affected
AutomatticWordPress5.2 <= 5.2.20affected
AutomatticWordPress5.1 <= 5.1.18affected
AutomatticWordPress5.0 <= 5.0.21affected
AutomatticWordPress4.9 <= 4.9.25affected
AutomatticWordPress4.8 <= 4.8.24affected
AutomatticWordPress4.7 <= 4.7.28affected
AutomatticWordPress4.6 <= 4.6.28affected
AutomatticWordPress4.5 <= 4.5.31affected
AutomatticWordPress4.4 <= 4.4.32affected
AutomatticWordPress4.3 <= 4.3.33affected
AutomatticWordPress4.2 <= 4.2.37affected
AutomatticWordPress4.1 <= 4.1.40affected

Weaknesses

  • CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References