|
Description
|
|
Henri Salo has discovered a vulnerability in the Advanced Dewplayer plugin for WordPress, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to the plugin not properly restricting access to wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php, which can be exploited to download arbitrary files via directory traversal sequences.
The vulnerability is confirmed in version 1.2. Prior versions may also be affected.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
WordPress Advanced Dewplayer Plugin 1.x
|
|
|
|
|
|
Solution
|
|
Update to version 1.3 or later.
|
|
|
|
|
|
CVE
|
|
CVE-2013-7240
|
|
|
|
|
|
References
|
|
Advanced Dewplayer Plugin:
http://wordpress.org/plugins/advanced-dewplayer/changelog/
Henri Salo:
http://www.openwall.com/lists/oss-security/2013/12/30/5
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
