Vulnerability Description
Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | <= 4.6 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2016/dsa-3681
- http://www.securityfocus.com/bid/92841
- https://codex.wordpress.org/Version_4.6.1Patch
- https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790cPatch
- https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-relePatchVendor Advisory
- https://wpvulndb.com/vulnerabilities/8616
- http://www.debian.org/security/2016/dsa-3681
- http://www.securityfocus.com/bid/92841
- https://codex.wordpress.org/Version_4.6.1Patch
- https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790cPatch
- https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-relePatchVendor Advisory
- https://wpvulndb.com/vulnerabilities/8616
FAQ
What is CVE-2016-7169?
CVE-2016-7169 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenti...
How severe is CVE-2016-7169?
CVE-2016-7169 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-7169?
Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress.