Search criteria
4 vulnerabilities found for Code Explorer by qriouslad
CVE-2025-15487 (GCVE-0-2025-15487)
Vulnerability from cvelistv5 – Published: 2026-02-04 08:25 – Updated: 2026-02-04 15:17
VLAI?
Title
Code Explorer <= 1.4.6 - Authenticated (Administrator+) Arbitrary File Read via 'file' Parameter
Summary
The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity ?
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| qriouslad | Code Explorer |
Affected:
* , ≤ 1.4.6
(semver)
|
Credits
Bhumividh Treloges
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:17:19.875741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T15:17:26.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Code Explorer",
"vendor": "qriouslad",
"versions": [
{
"lessThanOrEqual": "1.4.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bhumividh Treloges"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the \u0027file\u0027 parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T08:25:33.630Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fad8ad54-56eb-40fa-a357-77b7d656d378?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/code-explorer/tags/1.4.6/admin/class-code-explorer-admin.php#L211"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-14T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-03T19:44:36.000+00:00",
"value": "Disclosed"
}
],
"title": "Code Explorer \u003c= 1.4.6 - Authenticated (Administrator+) Arbitrary File Read via \u0027file\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15487",
"datePublished": "2026-02-04T08:25:33.630Z",
"dateReserved": "2026-01-08T12:26:13.470Z",
"dateUpdated": "2026-02-04T15:17:26.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5816 (GCVE-0-2023-5816)
Vulnerability from cvelistv5 – Published: 2024-10-30 02:04 – Updated: 2024-10-30 14:59
VLAI?
Title
Code Explorer <= 1.4.5 - Authenticated (Admin+) External File Reading
Summary
The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance.
Severity ?
4.9 (Medium)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| qriouslad | Code Explorer |
Affected:
* , ≤ 1.4.5
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T13:42:18.586533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T14:59:31.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Code Explorer",
"vendor": "qriouslad",
"versions": [
{
"lessThanOrEqual": "1.4.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T02:04:35.541Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42ecc4e5-d660-472f-823d-a29b84cdf041?source=cve"
},
{
"url": "https://wordpress.org/plugins/code-explorer/#developers"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-29T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Code Explorer \u003c= 1.4.5 - Authenticated (Admin+) External File Reading"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-5816",
"datePublished": "2024-10-30T02:04:35.541Z",
"dateReserved": "2023-10-26T22:28:52.027Z",
"dateUpdated": "2024-10-30T14:59:31.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-15487 (GCVE-0-2025-15487)
Vulnerability from nvd – Published: 2026-02-04 08:25 – Updated: 2026-02-04 15:17
VLAI?
Title
Code Explorer <= 1.4.6 - Authenticated (Administrator+) Arbitrary File Read via 'file' Parameter
Summary
The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity ?
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| qriouslad | Code Explorer |
Affected:
* , ≤ 1.4.6
(semver)
|
Credits
Bhumividh Treloges
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:17:19.875741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T15:17:26.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Code Explorer",
"vendor": "qriouslad",
"versions": [
{
"lessThanOrEqual": "1.4.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bhumividh Treloges"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the \u0027file\u0027 parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T08:25:33.630Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fad8ad54-56eb-40fa-a357-77b7d656d378?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/code-explorer/tags/1.4.6/admin/class-code-explorer-admin.php#L211"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-14T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-03T19:44:36.000+00:00",
"value": "Disclosed"
}
],
"title": "Code Explorer \u003c= 1.4.6 - Authenticated (Administrator+) Arbitrary File Read via \u0027file\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15487",
"datePublished": "2026-02-04T08:25:33.630Z",
"dateReserved": "2026-01-08T12:26:13.470Z",
"dateUpdated": "2026-02-04T15:17:26.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5816 (GCVE-0-2023-5816)
Vulnerability from nvd – Published: 2024-10-30 02:04 – Updated: 2024-10-30 14:59
VLAI?
Title
Code Explorer <= 1.4.5 - Authenticated (Admin+) External File Reading
Summary
The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance.
Severity ?
4.9 (Medium)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| qriouslad | Code Explorer |
Affected:
* , ≤ 1.4.5
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T13:42:18.586533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T14:59:31.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Code Explorer",
"vendor": "qriouslad",
"versions": [
{
"lessThanOrEqual": "1.4.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T02:04:35.541Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42ecc4e5-d660-472f-823d-a29b84cdf041?source=cve"
},
{
"url": "https://wordpress.org/plugins/code-explorer/#developers"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-29T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Code Explorer \u003c= 1.4.5 - Authenticated (Admin+) External File Reading"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-5816",
"datePublished": "2024-10-30T02:04:35.541Z",
"dateReserved": "2023-10-26T22:28:52.027Z",
"dateUpdated": "2024-10-30T14:59:31.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}