WordPress Plugin Vulnerabilities

Cart66 Pro <= 1.5.3 - Authenticated Arbitrary File Disclosure

Description

Ability to change settings with a registered (non-admin) user allows us to trigger an Arbitrary File Disclosure vulnerability with any path of our choosing.

One limitation with this vulnerability is that the target user (in the PoC, ‘test’) needs to have an account on the Cart66 installation.

Affects Plugins

Plugin icon
cart66
Fixed in 1.5.4

References

CVE
CVE-2014-9461
URL
https://g0blin.co.uk/cve-2014-9461/

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Submitter
James Hooker
Submitter website
https://research.g0blin.co.uk
Submitter twitter
g0blinResearch
Verified
No
WPVDB ID
0a36d2ff-5cf1-4ade-947a-19eee48592b0

Timeline

Publicly Published
2015-01-01 (about 11 years ago)
Added
2015-01-01 (about 11 years ago)
Last Updated
2020-10-25 (about 5 years ago)

Other

Published
Title
Published
2021-11-15
Title
All-In-One-Gallery < 2.5.0 - Admin+ Local File Inclusion
Published
2026-02-26
Title
Directory Listings WordPress plugin – uListing <= 2.2.0 - Authenticated (Editor+) Arbitrary File Download
Published
2024-01-17
Title
WP Recipe Maker < 9.1.1 - Directory Traversal
Published
2025-07-17
Title
School Management System for Wordpress < 1.93.1 (02-07-2025) - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update
Published
2025-05-16
Title
Tainacan < 0.21.15 - Unauthenticated Arbitrary File Deletion