← back
CVE-2022-2557

WordPress Team Members Showcase < 4.1.2 - Subscriber+ Arbitrary File Read and Deletion

EPSS 1.3%CWE-22
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS EPSS 1.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
22 Aug 2022Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Team WordPress plugin before 4.1.2 contains a file which could allow any authenticated users to download arbitrary files from the server via a path traversal vector. Furthermore, the file will also be deleted after its content is returned to the user
Affected products
Unknown · Team – WordPress Team Members Showcase Plugin

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/c043916a-92c9-4d02-8cca-1a90e5382b7e