CVE Vulnerability

CVE-2022-0493

The String locator WordPress plugin before 2.5.0 does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web server via a path traversal vector. Furthermore, due to a flaw in the search, allowing a pattern to be provided, which will be used to output the relevant matches from the matching file, all content of the file can be disclosed.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

4.9 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://wpscan.com/vulnerability/21e2e5fc-03d2-4791-beef-07af6bf985ed Exploit Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2685592 Release Notes Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:string_locator_project:string_locator:*:*:*:*:*:wordpress:*:*
Information

Published : 2022-03-28 06:15

Updated : 2022-04-04 08:26

NVD link : CVE-2022-0493

Mitre link : CVE-2022-0493

Products Affected
No products.
CWE
CWE-22