WordPress Plugin Vulnerabilities

WOLF < 1.0.8.4 - Authenticated (Editor+) CSV Path Traversal

Description

The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to PathTraversal in all versions up to, and including, 1.0.8.3. This makes it possible for authenticated attackers, with editor-level access and above, to perform actions on CSV files outside of the originally intended directory.

Affects Plugins

Plugin icon
bulk-editor
Fixed in 1.0.8.4

References

CVE
CVE-2024-52396
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/045e3aba-16b6-46f1-8c57-dd54e1e0e950

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
a89024d8-e019-48a7-a977-aa18f8fb3da5

Timeline

Publicly Published
2024-11-11 (about 1 year ago)
Added
2024-11-21 (about 1 year ago)
Last Updated
2024-11-21 (about 1 year ago)

Other

Published
Title
Published
2025-02-22
Title
Helloprint < 2.1.0 - Subscriber+ Arbitrary File Deletion
Published
2024-06-06
Title
Upunzipper <= 1.0.0 - Authenticated (Admin+) Arbitrary File Deletion
Published
2026-01-16
Title
Feeds for YouTube Pro < 2.6.1 - Unauthenticated Arbitrary File Read via Path Traversal
Published
2026-05-13
Title
Media Sync < 1.5.0 - Authenticated (Author+) Path Traversal via 'sub_dir' and 'media_items' Parameters
Published
2025-10-15
Title
Tuturn < 3.6 - Authenticated (Subscriber+) Arbitrary File Download