We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-10672

Multiple Page Generator Plugin – MPG <= 4.0.2 - Authenticated (Editor+) Directory Traversal to Limited File Deletion



Description

The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server.

Reserved 2024-11-01 | Published 2024-11-12 | Updated 2024-11-12 | Assigner Wordfence


LOW: 2.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-73 External Control of File Name or Path

Product status

Default status
unaffected

*
affected

Timeline

2024-11-11:Disclosed

Credits

Arkadiusz Hydzik finder

References

www.wordfence.com/...-4d62-4ecf-a2f1-57e0e416792b?source=cve

plugins.trac.wordpress.org/...trollers/ProjectController.php

plugins.trac.wordpress.org/...trollers/ProjectController.php

plugins.trac.wordpress.org/...trollers/ProjectController.php

cve.org (CVE-2024-10672)

nvd.nist.gov (CVE-2024-10672)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-10672

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.