Themes Vulnerabilities

Javo Spot Premium Theme - Unauthenticated Directory Traversal

Description

Print out any file in the via an unauthenticated AJAX request.

Proof of Concept

Affects Themes

javo-spot
Fixed in 3.0.0

References

URL
https://codeseekah.com/2017/02/09/javo-themes-spot-lfi-vulnerability/
URL
https://themeforest.net/item/javo-spot-multi-purpose-directory-wordpress-theme/13198068

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Submitter
Gennady
Submitter website
https://codeseekah.com
Submitter twitter
soulseekah
Verified
No
WPVDB ID
2d465fc4-d4fa-43bb-9c0d-71dcc3ee4eab

Timeline

Publicly Published
2017-02-10 (about 8 years ago)
Added
2017-02-10 (about 8 years ago)
Last Updated
2020-12-12 (about 5 years ago)

Other

Published
Title
Published
2021-08-24
Title
Live Scores for SportsPress < 1.9.1 - Authenticated Local File Inclusion
Published
2024-09-30
Title
Hello World < 2.2.0 - Authenticated (Subscriber+) Arbitrary File Read
Published
2024-07-08
Title
Panda Video < 1.4.1 - Authenticated (Contributor+) Local File Inclusion
Published
2026-01-06
Title
Flashcard Plugin for WordPress <= 0.9 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal
Published
2018-12-07
Title
WP Payeezy Pay < 2.98 - Local File Inclusion