CVE-2019-25213

CRITICAL EXPLOITED NUCLEI

WordPress Advanced Access Manager <5.9.8.1 - Info Disclosure

Title source: llm

Description

The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media parameter. This allows unauthenticated attackers to read any file on the server, including sensitive files such as wp-config.php

Nuclei Templates (1)

WordPress Advanced Access Manager - Path Traversal

CRITICALVERIFIEDby riteshs4hu

References (2)

[Patch] https://plugins.trac.wordpress.org/changeset/2098838/advanced-access-manager/trunk/application/Core/Media.php?old=2151316&old_path=advanced-access-manager%2Ftrunk%2Fapplication%2FCore%2FMedia.php

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/55e0f0df-7be2-4e18-988c-2cc558768eff?source=cve

Scores

CVSS v3 9.8

EPSS 0.4613

EPSS Percentile 97.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-10-15

CWE

CWE-22

Status published

Products (2)

vasyltech/advanced_access_manager < 5.9.8.1

vasyltech/Advanced Access Manager – Access Governance for WordPress < 5.9.9

Published Oct 16, 2024

Tracked Since Feb 18, 2026