Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by WPFactory LLC
CVE-2024-35162 (GCVE-0-2024-35162)
Vulnerability from nvd – Published: 2024-05-22 05:30 – Updated: 2024-08-12 15:53
VLAI
Summary
Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the server.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Path traversal
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WPFactory LLC | Download Plugins and Themes from Dashboard |
Affected:
prior to 1.8.6
|
|
| wpfactory | download_plugins_and_themes_from_dashboard |
Affected:
0 , < 1.8.6
(custom)
cpe:2.3:a:wpfactory:download_plugins_and_themes_from_dashboard:-:*:*:*:*:wordpress:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/download-plugins-dashboard/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN85380030/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpfactory:download_plugins_and_themes_from_dashboard:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "download_plugins_and_themes_from_dashboard",
"vendor": "wpfactory",
"versions": [
{
"lessThan": "1.8.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:44:32.221314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T15:53:54.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Download Plugins and Themes from Dashboard",
"vendor": "WPFactory LLC",
"versions": [
{
"status": "affected",
"version": "prior to 1.8.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with \"switch_themes\" privilege may obtain arbitrary files on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T05:30:33.065Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/plugins/download-plugins-dashboard/"
},
{
"url": "https://jvn.jp/en/jp/JVN85380030/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-35162",
"datePublished": "2024-05-22T05:30:33.065Z",
"dateReserved": "2024-05-10T01:34:22.893Z",
"dateUpdated": "2024-08-12T15:53:54.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35162 (GCVE-0-2024-35162)
Vulnerability from cvelistv5 – Published: 2024-05-22 05:30 – Updated: 2024-08-12 15:53
VLAI
Summary
Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the server.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Path traversal
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WPFactory LLC | Download Plugins and Themes from Dashboard |
Affected:
prior to 1.8.6
|
|
| wpfactory | download_plugins_and_themes_from_dashboard |
Affected:
0 , < 1.8.6
(custom)
cpe:2.3:a:wpfactory:download_plugins_and_themes_from_dashboard:-:*:*:*:*:wordpress:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/download-plugins-dashboard/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN85380030/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpfactory:download_plugins_and_themes_from_dashboard:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "download_plugins_and_themes_from_dashboard",
"vendor": "wpfactory",
"versions": [
{
"lessThan": "1.8.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:44:32.221314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T15:53:54.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Download Plugins and Themes from Dashboard",
"vendor": "WPFactory LLC",
"versions": [
{
"status": "affected",
"version": "prior to 1.8.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with \"switch_themes\" privilege may obtain arbitrary files on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T05:30:33.065Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/plugins/download-plugins-dashboard/"
},
{
"url": "https://jvn.jp/en/jp/JVN85380030/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-35162",
"datePublished": "2024-05-22T05:30:33.065Z",
"dateReserved": "2024-05-10T01:34:22.893Z",
"dateUpdated": "2024-08-12T15:53:54.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2024-000049
Vulnerability from jvndb - Published: 2024-05-17 13:33 - Updated:2024-05-17 13:33
Severity
Summary
WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal
Details
WordPress Plugin "Download Plugins and Themes from Dashboard" provided by WPFactory LLC contains a path traversal vulnerability (CWE-22).
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to WPFactory LLC and coordinated. After the coordination was completed, this case was reported to IPA under Information Security Early Warning Partnership, and JPCERT/CC coordinated with the developer for publishing of this advisory.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000049.html",
"dc:date": "2024-05-17T13:33+09:00",
"dcterms:issued": "2024-05-17T13:33+09:00",
"dcterms:modified": "2024-05-17T13:33+09:00",
"description": "WordPress Plugin \"Download Plugins and Themes from Dashboard\" provided by WPFactory LLC contains a path traversal vulnerability (CWE-22).\r\n\r\nGen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to WPFactory LLC and coordinated. After the coordination was completed, this case was reported to IPA under Information Security Early Warning Partnership, and JPCERT/CC coordinated with the developer for publishing of this advisory.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000049.html",
"sec:cpe": {
"#text": "cpe:/a:misc:wpfactory_download_plugins_and_themes_from_dashboard",
"@product": "Download Plugins and Themes from Dashboard",
"@vendor": "WPFactory LLC",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.7",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000049",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN85380030/index.html",
"@id": "JVN#85380030",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-35162",
"@id": "CVE-2024-35162",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
}
],
"title": "WordPress Plugin \"Download Plugins and Themes from Dashboard\" vulnerable to path traversal"
}