4 matches found
CVE-2018-25326
CVE-2018-25326 affects Google Drive for WordPress 2.2 and involves a path traversal vulnerability in gdrive-ajaxs.php. An unauthenticated attacker can exploit a crafted POST request by setting ajaxstype to del_fl_bkp and including directory traversal sequences in the file_name parameter (e.g., .....
CVE-2026-6403 Quick Playground <= 1.3.3 - Unauthenticated Path Traversal to Arbitrary File Read via 'stylesheet' Parameter
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in versions up to and including 1.3.3. This is due to insufficient path validation in the qckplyziptheme function, which appends a user-controlled 'stylesheet' parameter directly to the theme root directory path without...
CVE-2026-5478
The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled oldfiles data from public form submissions as legitimate server-side upload state, and converting...
CVE-2025-8575 LWS Cleaner <= 2.4.1.3 - Authenticated (Administrator+) Arbitrary File Deletion via 'lws_cl_delete_file'
The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lwscldeletefile' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to...