The Big File Uploads – Increase Maximum File Upload Size plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1.2. This is due the plugin not sanitizing a file path in an error message. This makes it possible for authenticated attackers, with author-level access and above, to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
History

Thu, 26 Sep 2024 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Infiniteuploads
Infiniteuploads big File Uploads
Weaknesses CWE-22
CPEs cpe:2.3:a:infiniteuploads:big_file_uploads:*:*:*:*:*:wordpress:*:*
Vendors & Products Infiniteuploads
Infiniteuploads big File Uploads

Mon, 09 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 07 Sep 2024 08:45:00 +0000

Type Values Removed Values Added
Description The Big File Uploads – Increase Maximum File Upload Size plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1.2. This is due the plugin not sanitizing a file path in an error message. This makes it possible for authenticated attackers, with author-level access and above, to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Title Big File Uploads <= 2.1.2 - Authenticated (Author+) Full Path Disclosure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-09-07T08:37:01.673Z

Updated: 2024-09-09T13:56:15.542Z

Reserved: 2024-09-06T18:05:48.796Z

Link: CVE-2024-8538

cve-icon Vulnrichment

Updated: 2024-09-09T13:56:10.288Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-07T09:15:03.773

Modified: 2024-09-26T16:28:02.990

Link: CVE-2024-8538

cve-icon Redhat

No data.