CVE-2017-14719

HIGH

WordPress < 4.8.2 - Path Traversal via Unzip Operations

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-14719. PoCs published by PalmTreeForest.

AI-analyzed exploit summary This repository contains a detailed writeup and documentation of vulnerabilities affecting older versions of WordPress, including CVE-2017-14719 (path traversal), CVE-2019-9787 (authenticated XSS), and an unauthenticated REST API content modification vulnerability. It includes steps to recreate the vulnerabilities, affected source code references, and screenshots.

Description

Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.

Exploits (1)

nomisec WRITEUP
by PalmTreeForest · poc
https://github.com/PalmTreeForest/CodePath_Week_7-8

This repository contains a detailed writeup and documentation of vulnerabilities affecting older versions of WordPress, including CVE-2017-14719 (path traversal), CVE-2019-9787 (authenticated XSS), and an unauthenticated REST API content modification vulnerability. It includes steps to recreate the vulnerabilities, affected source code references, and screenshots.

Classification
Writeup 100%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: WordPress 3.8, 4.6.1, 4.7
Auth required
Prerequisites: Access to WordPress admin account for some vulnerabilities · Network access to the target WordPress instance
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2017/dsa-3997
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100912
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039553
Patch, Release Notes, Vendor Advisory x_refsource_misc
https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/8911
Patch, Vendor Advisory x_refsource_misc
https://core.trac.wordpress.org/changeset/41457

Scores

CVSS v3 7.5
EPSS 0.1338
EPSS Percentile 96.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (50)
wordpress/wordpress 3.0
wordpress/wordpress 3.0.1
wordpress/wordpress 3.0.2
wordpress/wordpress 3.0.3
wordpress/wordpress 3.0.4
wordpress/wordpress 3.0.5
wordpress/wordpress 3.0.6
wordpress/wordpress 3.1
wordpress/wordpress 3.1.1
wordpress/wordpress 3.1.2
... and 40 more
Published Sep 23, 2017
Tracked Since Feb 18, 2026