WordPress Plugin Vulnerabilities

CYAN Backup < 2.5.4 - Authenticated (Admin+) Arbitrary File Download

Description

The CYAN Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
cyan-backup
Fixed in 2.5.4

References

CVE
CVE-2024-52390
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/77c125fd-a954-4523-b415-21bf9e835452

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Junsu Yeo
Verified
No
WPVDB ID
a006b63b-da01-45f7-b691-3e4d6469304b

Timeline

Publicly Published
2024-11-11 (about 1 year ago)
Added
2024-11-21 (about 1 year ago)
Last Updated
2024-11-21 (about 1 year ago)

Other

Published
Title
Published
2026-02-16
Title
Open User Map < 1.4.17 - Authenticated (Subscriber+) Arbitrary File Download
Published
2025-04-16
Title
Administrator Z < 2025.03.30 - Authenticated (Admin+) Directory Traversal
Published
2024-09-25
Title
Advanced File Manager < 5.2.9 - Authenticated (Administrator+) Local JavaScript File Inclusion via fma_locale
Published
2025-05-22
Title
Advanced Database Cleaner PRO < 3.2.11 - Authenticated (Subscriber+) Limited Path Traversal
Published
2022-05-17
Title
Popup Box < 2.2 - Admin+ LFI