WordPress Plugin Vulnerabilities

Swim Team < 1.45 - Local File Inclusion

Description

The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files.

Proof of Concept

Affects Plugins

Plugin icon
wp-swimteam
Fixed in 1.45

References

CVE
CVE-2015-5471
URL
https://packetstormsecurity.com/files/#132653/

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
5.3 (medium)

Miscellaneous

Submitter
Larry W. Cashdollar
Submitter twitter
_larry0
Verified
No
WPVDB ID
b00d9dda-721d-4204-8995-093f695c3568

Timeline

Publicly Published
2015-07-03 (about 10 years ago)
Added
2015-07-03 (about 10 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-05-14
Title
File Manager Advanced Shortcode <= Multiple Versions - Authenticated (Administrator+) Local JavaScript File Inclusion via Shortcode
Published
2024-10-14
Title
WordPress Gallery Plugin – Limb Image Gallery <= 1.5.7 - Authenticated (Subscriber+) Arbitrary File Download
Published
2024-06-05
Title
Cowidgets – Elementor Addons < 1.2.0 - Authenticated (Contributor+) Local File Inclusion
Published
2025-03-19
Title
Event Manager, Events Calendar, Tickets, Registrations – Eventin < 4.0.25 - Authenticated (Contributor+) Local File Inclusion
Published
2014-08-01
Title
Lytebox - Local File Inclusion