CVE-2015-5471

MEDIUM EXPLOITED NUCLEI

Swim Team plugin <1.44.10777 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-5471 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Larry W. Cashdollar. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit demonstrates an arbitrary file download vulnerability in the WordPress plugin wp-swimteam v1.44.10777. The vulnerability arises due to unsanitized user input in the download.php script, allowing attackers to read sensitive system files like /etc/passwd.

Description

Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Larry W. Cashdollar · textwebappsphp
https://www.exploit-db.com/exploits/37601

The exploit demonstrates an arbitrary file download vulnerability in the WordPress plugin wp-swimteam v1.44.10777. The vulnerability arises due to unsanitized user input in the download.php script, allowing attackers to read sensitive system files like /etc/passwd.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: wp-swimteam v1.44.10777
No auth needed
Prerequisites: Access to the target WordPress plugin endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Swim Team <= v1.44.10777 - Local File Inclusion
MEDIUMby 0x_Akoko

References (6)

Core 6

Scores

CVSS v3 5.3
EPSS 0.3271
EPSS Percentile 98.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2026-02-12
CWE
CWE-22
Status published
Products (1)
swim_team_project/swim_team 1.44.10777
Published Jan 12, 2016
Tracked Since Feb 18, 2026