WordPress Plugin Vulnerabilities

WP Directory Kit < 1.2.0 - Unauthenticated Local File Inclusion

Description

The plugin does not validate some user inputs before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks

Affects Plugins

Plugin icon
wpdirectorykit
Fixed in 1.2.0

References

CVE
CVE-2023-2278

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
55a50715-756b-411b-850d-7d518cb68070

Timeline

Publicly Published
2023-05-26 (about 2 years ago)
Added
2023-06-13 (about 2 years ago)
Last Updated
2023-06-13 (about 2 years ago)

Other

Published
Title
Published
2025-03-28
Title
Bit Assist < 1.5.5 - Unauthenticated Path Traversal
Published
2025-12-11
Title
Multi Uploader for Gravity Forms < 1.1.8 - Unauthenticated Arbitrary File Deletion
Published
2015-07-07
Title
S3Bubble Amazon S3 Video And Audio Streaming With Analytics <= 2.0 - Arbitrary File Download
Published
2025-04-03
Title
Category Icon < 1.0.2 - Author+ Arbitrary File Download
Published
2023-09-12
Title
Dropbox Folder Share <= 1.9.7 - Unauthenticated Remote Code Execution via LFI