Folders <= 3.0 and Folders Pro <= 3.0.2 – Directory Traversal via handle_folders_file_upload | CVE 2024-2023 | Plugin Vulnerabilities

Description

The Folders and Folders Pro plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.0 in Folders and 3.0.2 in Folders Pro via the 'handle_folders_file_upload' function. This makes it possible for authenticated attackers, with author access and above, to upload files to arbitrary locations on the server.

Affects Plugins

Fixed in 3.0.1

Fixed in 3.0.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b4cc839c-de7a-43eb-a7fa-b1049419bfa3

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Colin Xu

Verified

No

WPVDB ID

e38596a3-177b-45e5-819f-1cc29c7db085

Timeline

Publicly Published

2024-06-13 (about 1 year ago)

Added

2024-06-13 (about 1 year ago)

Last Updated

2024-06-14 (about 1 year ago)

Other

Published

Title

Published

2025-05-30

Title

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Unauthenticated Arbitrary File Download

Published

2016-11-30

Title

WP Vault 0.8.6.6 - Unauthenticated Local File Inclusion (LFI)

Published

2025-08-25

Title

Nuss <= 1.3.3 - Unauthenticated Local File Inclusion

Published

2024-06-06

Title

Qi Addons For Elementor < 1.7.3 - Authenticated (Contributor+) Local File Inclusion

Published

2016-03-21

Title

ABtest - File Inclusion