In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading.
CWE-552
CVE-2022-2981
The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.
CVE-2022-29720
74cmsSE v3.5.1 was discovered to contain an arbitrary file read vulnerability via the component indexcontrollerDownload.php.
CVE-2022-29446
Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company’s Counter Box plugin <= 1.1.1 at WordPress.
CVE-2022-29447
Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company’s Hover Effects plugin <= 2.1 at WordPress.
CVE-2022-29302
SolarView Compact ver.6.00 was discovered to contain a local file disclosure via /html/Solar_Ftp.php.