WordPress Plugin Vulnerabilities

MoveTo <= 6.2 - Unauthenticated Directory Traversal to Arbitrary File Deletion

Description

The moveto plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, leading to site takeover.

Affects Plugins

Plugin icon
moveto
No known fix

References

CVE
CVE-2024-25911
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ec4c14ec-d085-42c8-9e98-4155f7fa8c10

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
f486e3cb-7c42-4d46-9d97-581f35781f56

Timeline

Publicly Published
2024-02-12 (about 2 years ago)
Added
2024-02-14 (about 2 years ago)
Last Updated
2024-02-14 (about 2 years ago)

Other

Published
Title
Published
2015-03-28
Title
Aspose PDF Exporter - Arbitrary File Download
Published
2016-07-10
Title
Ultimate Member < 1.3.65 - Local File Inclusion
Published
2025-02-24
Title
Pie Register Premium < 3.8.3.3 - Authenticated (Subscriber+) Limited File Deletion
Published
2025-03-19
Title
Event Manager, Events Calendar, Tickets, Registrations – Eventin < 4.0.25 - Authenticated (Contributor+) Local File Inclusion
Published
2014-08-01
Title
Payment Gateways Caller for WP e-Commerce 0.1.0 - load_merchant Parameter Traversal Local file Inclusion