CVE-2023-0156: All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal
First published: Mon Apr 10 2023(Updated: )
The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it's settings pages, allowing an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server (to which the web server has access). The plugin only displays the last 50 lines of the file.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Updraftplus All-in-one Security | <5.1.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2023-0156?
The severity of CVE-2023-0156 is medium with a severity value of 4.9.
How does CVE-2023-0156 affect the All-In-One Security (AIOS) WordPress plugin?
CVE-2023-0156 allows an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server where the web server has access.
Which version of the All-In-One Security (AIOS) WordPress plugin is affected by CVE-2023-0156?
The All-In-One Security (AIOS) WordPress plugin before version 5.1.5 is affected by CVE-2023-0156.
How can I fix CVE-2023-0156 in the All-In-One Security (AIOS) WordPress plugin?
Update to version 5.1.5 or later of the All-In-One Security (AIOS) WordPress plugin to fix CVE-2023-0156.
What is CWE-22?
CWE-22 is a CWE classification for Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/title
- agent/severity
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/updraftplus
- canonical/updraftplus all-in-one security