Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-0156— All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal

EPSS 34.88% · P97
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-0156

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal
Source: NVD (National Vulnerability Database)
Vulnerability Description
The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it's settings pages, allowing an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server (to which the web server has access). The plugin only displays the last 50 lines of the file.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin All-In-One Security路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。是WordPress plugin是WordPress基金会的一个应用插件。 WordPress plugin All-In-One Security 5.1.5之前版本存在路径遍历漏洞,该漏洞源于没有限制在它的设置页面中显示哪些日志文件,攻击者利用该漏洞可以查看任意文件的内容并列出服务器上任何位置的目录。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
UnknownAll-In-One Security (AIOS) 0 ~ 5.1.5 -

II. Public POCs for CVE-2023-0156

#POC DescriptionSource LinkShenlong Link
1Repository for CVE-2023-0156 vulnerability. https://github.com/b0marek/CVE-2023-0156POC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-0156

登录查看更多情报信息。

Same Patch Batch · Unknown · 2023-04-10 · 19 CVEs total

CVE-2023-1478Hummingbird < 3.4.2 - Unauthenticated Path Traversal
CVE-2023-0363Scheduled Announcements Widget < 1.0 - Contributor+ Stored XSS
CVE-2023-1122Simple Giveaways < 2.45.1 - Editor+ Stored Cross-Site Scripting
CVE-2023-0893Time Sheets < 1.29.3 - Admin+ Stored XSS
CVE-2023-1406JetEngine < 3.1.3.1 - Author+ Remote Code Execution
CVE-2023-1426WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure
CVE-2023-1425Groundhogg Contacts < 2.7.9.4 - Admin+ SQLi
CVE-2023-0605Auto Rename Media On Upload < 1.1.0 - Admin+ Stored XSS
CVE-2023-0983Stylish Cost Calculator Premium < 7.9.0 - Unauthenticated Stored XSS
CVE-2023-1381WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization
CVE-2023-1120Simple Giveaways < 2.45.1 - Admin+ Stored XSS
CVE-2023-0422Article Directory <= 1.3 - Admin+ Stored XSS
CVE-2023-0423WordPress Amazon S3 Plugin < 1.6 - Reflected XSS
CVE-2023-0874Klaviyo <= 3.0.10 - Admin+ Stored XSS
CVE-2023-1121Simple Giveaways < 2.45.1 - Admin+ Stored Cross-Site Scripting
CVE-2022-4827WP Tiles <= 1.1.2 - Contributor+ Stored XSS
CVE-2023-0546FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field
CVE-2023-0157All-In-One Security (AIOS) < 5.1.5 - Admin+ Stored XSS

IV. Related Vulnerabilities

Same product: All-In-One Security (AIOS)
Same vendor: Unknown

V. Comments for CVE-2023-0156

No comments yet

Leave a comment