CVE-2023-0156

MEDIUM

AIOS WordPress <5.1.5 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-0156. PoCs published by b0marek.

AI-analyzed exploit summary This PoC demonstrates a directory traversal vulnerability in the All-In-One Security (AIOS) WordPress plugin (versions up to 5.1.4). It allows authenticated administrators to read arbitrary files on the server by manipulating the `aiowps_system_log_file` parameter.

Description

The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it's settings pages, allowing an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server (to which the web server has access). The plugin only displays the last 50 lines of the file.

Exploits (1)

nomisec WORKING POC
by b0marek · poc
https://github.com/b0marek/CVE-2023-0156

This PoC demonstrates a directory traversal vulnerability in the All-In-One Security (AIOS) WordPress plugin (versions up to 5.1.4). It allows authenticated administrators to read arbitrary files on the server by manipulating the `aiowps_system_log_file` parameter.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: All-In-One Security (AIOS) WordPress plugin <= 5.1.4
Auth required
Prerequisites: Authenticated admin access to WordPress · AIOS plugin version <= 5.1.4 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/caf1dbb5-197e-41e9-8f48-ba1f2360a759

Scores

CVSS v3 4.9
EPSS 0.1992
EPSS Percentile 97.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (1)
updraftplus/all-in-one_security < 5.1.5
Published Apr 10, 2023
Tracked Since Feb 18, 2026