Common Weakness Enumeration

CWE-35

Allowed

Path Traversal: '.../...//'

Abstraction: Variant · Status: Incomplete

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

334 vulnerabilities reference this CWE, most recent first.

CVE-2024-56055 (GCVE-0-2024-56055)

Vulnerability from cvelistv5 – Published: 2024-12-18 18:42 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress WPLMS plugin < 1.9.9.5.2 - Arbitrary Directory Deletion vulnerability
Summary
Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-35 - Path Traversal: '.../...//'
Assigner
References
Impacted products
Vendor Product Version
VibeThemes WPLMS Affected: 0 , ≤ 1.9.9.5.2 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:31
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56055",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-18T19:02:09.600631Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-18T19:02:18.760Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "wplms_plugin",
          "product": "WPLMS",
          "vendor": "VibeThemes",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.9.9.5.2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.9.9.5.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rafie Muhammad | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:31:04.750Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.\u003cp\u003eThis issue affects WPLMS: from n/a through \u003c 1.9.9.5.2.\u003c/p\u003e"
            }
          ],
          "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.This issue affects WPLMS: from n/a through \u003c 1.9.9.5.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "Path Traversal: \u0027.../...//\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:10:54.593Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-2-arbitrary-directory-deletion-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress WPLMS plugin \u003c 1.9.9.5.2 - Arbitrary Directory Deletion vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-56055",
    "datePublished": "2024-12-18T18:42:49.539Z",
    "dateReserved": "2024-12-14T19:43:05.900Z",
    "dateUpdated": "2026-04-28T16:10:54.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56049 (GCVE-0-2024-56049)

Vulnerability from cvelistv5 – Published: 2024-12-18 18:46 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress WPLMS plugin < 1.9.9.5.2 - Subscriber+ Arbitrary File Deletion vulnerability
Summary
Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-35 - Path Traversal: '.../...//'
Assigner
References
Impacted products
Vendor Product Version
VibeThemes WPLMS Affected: 0 , ≤ 1.9.9.5.2 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:31
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56049",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-18T19:06:58.031190Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-18T19:16:42.161Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "wplms_plugin",
          "product": "WPLMS",
          "vendor": "VibeThemes",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.9.9.5.2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.9.9.5.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rafie Muhammad | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:31:05.799Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.\u003cp\u003eThis issue affects WPLMS: from n/a through \u003c 1.9.9.5.2.\u003c/p\u003e"
            }
          ],
          "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.This issue affects WPLMS: from n/a through \u003c 1.9.9.5.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "Path Traversal: \u0027.../...//\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:10:54.425Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-2-subscriber-arbitrary-file-deletion-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress WPLMS plugin \u003c 1.9.9.5.2 - Subscriber+ Arbitrary File Deletion vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-56049",
    "datePublished": "2024-12-18T18:46:23.626Z",
    "dateReserved": "2024-12-14T19:42:58.219Z",
    "dateUpdated": "2026-04-28T16:10:54.425Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56045 (GCVE-0-2024-56045)

Vulnerability from cvelistv5 – Published: 2024-12-31 13:17 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress WPLMS plugin < 1.9.9.5 - Unauthenticated Arbitrary Directory Deletion vulnerability
Summary
Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.This issue affects WPLMS: from n/a through < 1.9.9.5.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-35 - Path Traversal: '.../...//'
Assigner
References
Impacted products
Vendor Product Version
VibeThemes WPLMS Affected: 0 , ≤ 1.9.9.5 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:31
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56045",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-31T15:24:49.100994Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-31T15:25:00.620Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "wplms_plugin",
          "product": "WPLMS",
          "vendor": "VibeThemes",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.9.9.5",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.9.9.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rafie Muhammad | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:31:07.727Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.\u003cp\u003eThis issue affects WPLMS: from n/a through \u003c 1.9.9.5.\u003c/p\u003e"
            }
          ],
          "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.This issue affects WPLMS: from n/a through \u003c 1.9.9.5."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "Path Traversal: \u0027.../...//\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:10:54.443Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-unauthenticated-arbitrary-directory-deletion-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress WPLMS plugin \u003c 1.9.9.5 - Unauthenticated Arbitrary Directory Deletion vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-56045",
    "datePublished": "2024-12-31T13:17:49.414Z",
    "dateReserved": "2024-12-14T19:42:58.218Z",
    "dateUpdated": "2026-04-28T16:10:54.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-54362 (GCVE-0-2024-54362)

Vulnerability from cvelistv5 – Published: 2025-03-28 15:12 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress GetShop ecommerce plugin <= 1.3 - Path Traversal vulnerability
Summary
Path Traversal: '.../...//' vulnerability in boggibill GetShop ecommerce getshop-ecommerce allows Path Traversal.This issue affects GetShop ecommerce: from n/a through <= 1.3.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-35 - Path Traversal: '.../...//'
Assigner
References
Impacted products
Vendor Product Version
boggibill GetShop ecommerce Affected: 0 , ≤ 1.3 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:30
Credits
Dimas Maulana | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-54362",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-28T15:52:32.256153Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-28T17:00:20.103Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "getshop-ecommerce",
          "product": "GetShop ecommerce",
          "vendor": "boggibill",
          "versions": [
            {
              "lessThanOrEqual": "1.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dimas Maulana | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:30:35.847Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in boggibill GetShop ecommerce getshop-ecommerce allows Path Traversal.\u003cp\u003eThis issue affects GetShop ecommerce: from n/a through \u003c= 1.3.\u003c/p\u003e"
            }
          ],
          "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in boggibill GetShop ecommerce getshop-ecommerce allows Path Traversal.This issue affects GetShop ecommerce: from n/a through \u003c= 1.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "Path Traversal: \u0027.../...//\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:10:51.024Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/getshop-ecommerce/vulnerability/wordpress-getshop-ecommerce-plugin-1-3-path-traversal-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress GetShop ecommerce plugin \u003c= 1.3 - Path Traversal vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-54362",
    "datePublished": "2025-03-28T15:12:25.053Z",
    "dateReserved": "2024-12-02T12:05:27.400Z",
    "dateUpdated": "2026-04-28T16:10:51.024Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-54313 (GCVE-0-2024-54313)

Vulnerability from cvelistv5 – Published: 2024-12-13 14:25 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress FULL – Cliente plugin <= 3.1.25 - Local File Inclusion vulnerability
Summary
Path Traversal vulnerability in FULL. FULL Customer allows Path Traversal.This issue affects FULL Customer: from n/a through 3.1.25.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
FULL. FULL Customer Affected: n/a , ≤ 3.1.25 (custom)
Create a notification for this product.
Credits
João Pedro S Alcântara (Kinorth) (Patchstack Alliance)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-54313",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-13T15:27:36.572287Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-13T15:27:43.973Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "full-customer",
          "product": "FULL Customer",
          "vendor": "FULL.",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.1.26",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.1.25",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePath Traversal vulnerability in FULL. FULL Customer allows Path Traversal.\u003c/p\u003e\u003cp\u003eThis issue affects FULL Customer: from n/a through 3.1.25.\u003c/p\u003e"
            }
          ],
          "value": "Path Traversal vulnerability in FULL. FULL Customer allows Path Traversal.This issue affects FULL Customer: from n/a through 3.1.25."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "CWE-35 Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:10:49.842Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/full-customer/vulnerability/wordpress-full-cliente-plugin-3-1-25-local-file-inclusion-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress FULL Customer wordpress plugin to the latest available version (at least 3.1.26)."
            }
          ],
          "value": "Update the WordPress FULL Customer wordpress plugin to the latest available version (at least 3.1.26)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress FULL \u2013 Cliente plugin \u003c= 3.1.25 - Local File Inclusion vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-54313",
    "datePublished": "2024-12-13T14:25:22.051Z",
    "dateReserved": "2024-12-02T12:04:44.752Z",
    "dateUpdated": "2026-04-28T16:10:49.842Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-54216 (GCVE-0-2024-54216)

Vulnerability from cvelistv5 – Published: 2024-12-06 13:07 – Updated: 2026-07-07 11:22
VLAI
Title
WordPress ARForms plugin < 7.0.2 - Path Traversal vulnerability
Summary
Path Traversal: '.../...//' vulnerability in reputeinfosystems ARForms allows Path Traversal. This issue affects ARForms: from n/a before 7.0.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-35 - Path Traversal: '.../...//'
Assigner
References
Impacted products
Vendor Product Version
reputeinfosystems ARForms Affected: n/a , < 7.0.2 (custom)
Create a notification for this product.
Credits
Dave Jong | Patchstack
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-54216",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-06T16:22:22.639170Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-06T17:30:25.903Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ARForms",
          "vendor": "reputeinfosystems",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.0.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "7.0.2",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Dave Jong | Patchstack"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in reputeinfosystems ARForms allows Path Traversal.\u003cp\u003eThis issue affects ARForms: from n/a before 7.0.2.\u003c/p\u003e"
            }
          ],
          "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in reputeinfosystems ARForms allows Path Traversal.\n\nThis issue affects ARForms: from n/a before 7.0.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "CWE-35 Path Traversal: \u0027.../...//\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-07T11:22:19.870Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/arforms/vulnerability/wordpress-arforms-plugin-6-4-1-subscriber-arbitrary-file-read-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress ARForms plugin to the latest available version (at least 7.0.2)."
            }
          ],
          "value": "Update the WordPress ARForms plugin to the latest available version (at least 7.0.2)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress ARForms plugin \u003c 7.0.2 - Path Traversal vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-54216",
    "datePublished": "2024-12-06T13:07:17.500Z",
    "dateReserved": "2024-12-02T12:03:12.412Z",
    "dateUpdated": "2026-07-07T11:22:19.870Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-52885 (GCVE-0-2024-52885)

Vulnerability from cvelistv5 – Published: 2025-08-06 14:45 – Updated: 2025-08-06 15:03
VLAI
Title
Path Traversal
Summary
The Mobile Access Portal's File Share application is vulnerable to a directory traversal attack, allowing an authenticated, malicious end-user (authorized to at least one File Share application) to list the file names of 'nobody'-accessible directories on the Mobile Access gateway.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
checkpoint Check Point Mobile Access Affected: Check Point Mobile Access versions R81.10, R81.20, R82
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52885",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-06T15:02:46.396665Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-06T15:03:53.437Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Check Point Mobile Access",
          "vendor": "checkpoint",
          "versions": [
            {
              "status": "affected",
              "version": "Check Point Mobile Access versions R81.10, R81.20, R82"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Mobile Access Portal\u0027s File Share application is vulnerable to a directory traversal attack, allowing an authenticated, malicious end-user (authorized to at least one File Share application) to list the file names of \u0027nobody\u0027-accessible directories on the Mobile Access gateway."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "CWE-35: Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-06T14:45:43.182Z",
        "orgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
        "shortName": "checkpoint"
      },
      "references": [
        {
          "url": "https://support.checkpoint.com/results/sk/sk183137"
        }
      ],
      "title": "Path Traversal"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
    "assignerShortName": "checkpoint",
    "cveId": "CVE-2024-52885",
    "datePublished": "2025-08-06T14:45:43.182Z",
    "dateReserved": "2024-11-17T08:00:07.201Z",
    "dateUpdated": "2025-08-06T15:03:53.437Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-52498 (GCVE-0-2024-52498)

Vulnerability from cvelistv5 – Published: 2024-11-28 10:38 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress SP Blog Designer plugin <= 1.0.0 - Local File Inclusion vulnerability
Summary
Path Traversal: '.../...//' vulnerability in softpulseinfotech SP Blog Designer sp-blog-designer allows PHP Local File Inclusion.This issue affects SP Blog Designer: from n/a through <= 1.0.0.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-35 - Path Traversal: '.../...//'
Assigner
References
Impacted products
Vendor Product Version
softpulseinfotech SP Blog Designer Affected: 0 , ≤ 1.0.0 (custom)
Create a notification for this product.
softpulse_infotech sp_blog_designer Affected: 0 , ≤ 1.0.0 (custom)
    cpe:2.3:a:softpulse_infotech:sp_blog_designer:*:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2026-04-01 16:29
Credits
João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:softpulse_infotech:sp_blog_designer:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "sp_blog_designer",
            "vendor": "softpulse_infotech",
            "versions": [
              {
                "lessThanOrEqual": "1.0.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52498",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-29T18:50:34.361797Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-29T18:52:13.083Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "sp-blog-designer",
          "product": "SP Blog Designer",
          "vendor": "softpulseinfotech",
          "versions": [
            {
              "lessThanOrEqual": "1.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:29:59.814Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in softpulseinfotech SP Blog Designer sp-blog-designer allows PHP Local File Inclusion.\u003cp\u003eThis issue affects SP Blog Designer: from n/a through \u003c= 1.0.0.\u003c/p\u003e"
            }
          ],
          "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in softpulseinfotech SP Blog Designer sp-blog-designer allows PHP Local File Inclusion.This issue affects SP Blog Designer: from n/a through \u003c= 1.0.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-252",
          "descriptions": [
            {
              "lang": "en",
              "value": "PHP Local File Inclusion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "Path Traversal: \u0027.../...//\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:10:44.061Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/sp-blog-designer/vulnerability/wordpress-sp-blog-designer-plugin-1-0-0-local-file-inclusion-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress SP Blog Designer plugin \u003c= 1.0.0 - Local File Inclusion vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-52498",
    "datePublished": "2024-11-28T10:38:55.224Z",
    "dateReserved": "2024-11-11T06:40:32.646Z",
    "dateUpdated": "2026-04-28T16:10:44.061Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-52447 (GCVE-0-2024-52447)

Vulnerability from cvelistv5 – Published: 2024-11-20 11:07 – Updated: 2026-05-11 22:15
VLAI
Title
WordPress Contact Page With Google Map plugin <= 1.6.1 - Arbitrary File Deletion vulnerability
Summary
Path Traversal: '.../...//' vulnerability in corporatezen222 Contact Page With Google Map contact-page-with-google-map allows Path Traversal.This issue affects Contact Page With Google Map: from n/a through <= 1.6.1.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-35 - Path Traversal: '.../...//'
Assigner
References
Impacted products
Vendor Product Version
corporatezen222 Contact Page With Google Map Affected: 0 , ≤ 1.6.1 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:29
Credits
Mika | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52447",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-02T18:54:19.875942Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T22:15:13.519Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "contact-page-with-google-map",
          "product": "Contact Page With Google Map",
          "vendor": "corporatezen222",
          "versions": [
            {
              "lessThanOrEqual": "1.6.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mika | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:29:54.885Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in corporatezen222 Contact Page With Google Map contact-page-with-google-map allows Path Traversal.\u003cp\u003eThis issue affects Contact Page With Google Map: from n/a through \u003c= 1.6.1.\u003c/p\u003e"
            }
          ],
          "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in corporatezen222 Contact Page With Google Map contact-page-with-google-map allows Path Traversal.This issue affects Contact Page With Google Map: from n/a through \u003c= 1.6.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "Path Traversal: \u0027.../...//\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:10:42.628Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/contact-page-with-google-map/vulnerability/wordpress-contact-page-with-google-map-plugin-1-6-1-arbitrary-file-deletion-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Contact Page With Google Map plugin \u003c= 1.6.1 - Arbitrary File Deletion vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-52447",
    "datePublished": "2024-11-20T11:07:29.829Z",
    "dateReserved": "2024-11-11T06:39:48.586Z",
    "dateUpdated": "2026-05-11T22:15:13.519Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-52390 (GCVE-0-2024-52390)

Vulnerability from cvelistv5 – Published: 2024-11-18 21:28 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress CYAN Backup plugin <= 2.5.3 - Arbitrary File Download vulnerability
Summary
Path Traversal: '.../...//' vulnerability in Greg Ross CYAN Backup cyan-backup allows Path Traversal.This issue affects CYAN Backup: from n/a through <= 2.5.3.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-35 - Path Traversal: '.../...//'
Assigner
References
Impacted products
Vendor Product Version
Greg Ross CYAN Backup Affected: 0 , ≤ 2.5.3 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:29
Credits
Junsu Yeo | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52390",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-19T15:28:39.740529Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-19T15:28:53.863Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "cyan-backup",
          "product": "CYAN Backup",
          "vendor": "Greg Ross",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.5.4",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "2.5.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Junsu Yeo | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:29:47.327Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in Greg Ross CYAN Backup cyan-backup allows Path Traversal.\u003cp\u003eThis issue affects CYAN Backup: from n/a through \u003c= 2.5.3.\u003c/p\u003e"
            }
          ],
          "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in Greg Ross CYAN Backup cyan-backup allows Path Traversal.This issue affects CYAN Backup: from n/a through \u003c= 2.5.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "Path Traversal: \u0027.../...//\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:10:40.833Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/cyan-backup/vulnerability/wordpress-cyan-backup-plugin-2-5-3-arbitrary-file-download-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress CYAN Backup plugin \u003c= 2.5.3 - Arbitrary File Download vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-52390",
    "datePublished": "2024-11-18T21:28:53.796Z",
    "dateReserved": "2024-11-11T06:38:56.851Z",
    "dateUpdated": "2026-04-28T16:10:40.833Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, the ".../...//" manipulation is useful for bypassing some path traversal protection schemes. If "../" sequences are removed from the ".../...//" string in a sequential fashion (as some regular expression engines and other algorithms operate) the string can collapse into the unsafe "../" value (CWE-182). Removing the first "../" yields "....//" and the second removal yields "../".
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.