WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal


WordPress Plugin "Download Plugins and Themes from Dashboard" provided by WPFactory LLC contains a path traversal vulnerability (CWE-22).

Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to WPFactory LLC and coordinated. After the coordination was completed, this case was reported to IPA under Information Security Early Warning Partnership, and JPCERT/CC coordinated with the developer for publishing of this advisory.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 2.7 (Low) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

WPFactory LLC
  • Download Plugins and Themes from Dashboard versions prior to 1.8.6


The user with "switch_themes" privilege may obtain arbitrary files on the server.

[Update the plugin]
Update the plugin to the latest version according to the information provided by the developer.
Vendor Information

WPFactory LLC
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-35162

  1. JVN : JVN#85380030
Revision History

  • [2024/05/17]
      Web page was published