WPIDE < 3.5.0 – Unauthenticated Full Path Dislcosure | CVE 2024-9546 | Plugin Vulnerabilities

Description

The WPIDE – File Manager & Code Editor plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.9. This is due to the plugin utilizing the PHP-Parser library, which outputs parser rebuild command execution results. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

Affects Plugins

Fixed in 3.5.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e884af8b-c83f-4380-bfaf-f1419fce125c

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

TANG Cheuk Hei (siunam)

Verified

No

WPVDB ID

96d1ca81-56b5-42b6-a3e7-a78dee18bc65

Timeline

Publicly Published

2024-10-14 (about 1 year ago)

Added

2024-10-14 (about 1 year ago)

Last Updated

2024-10-15 (about 1 year ago)

Other

Published

Title

Published

2025-04-22

Title

WordPress Simple PayPal Shopping Cart < 5.1.3 - Unauthenticated Information Exposure via file_url Parameter

Published

2024-07-09

Title

SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer < 3.10.9 - Unauthenticated Full Path Disclosure

Published

2025-03-25

Title

Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates < 1.6.9 - Authenticated (Contributor+) Sensitive Information Exposure

Published

2024-01-17

Title

IP2Location Country Blocker < 2.33.4 - Unauthenticated Sensitive Information Exposure via Debug Log File

Published

2023-02-06

Title

Ajax Search Lite < 4.11.1 - Subscriber+ Sensitive Data Disclosure