Hi,
Although we had not been informed of this disclosure ahead of it happening, there is no apparent immediate risk.
Without giving too much information, as we are reviewing the report that was submitted to us at a later date; An administrator (which would in most cases be the site owner) would be able to view the content of files outside the WordPress directory, but only if the user also had access to your server and could write or modify very specific files on the server it self first.
The security advisory agrees that these requirements are so specific that it has a low severity impact and is unlikely to be exploited, but we are still waiting for more information from the reporter to more accurately address the report before we make any changes, if needed.
Thank you, Marius. You might have seen that the report comes from PatchStack:
https://vdp.patchstack.com/database/Wordpress/Plugin/health-check/vulnerability/wordpress-health-check-troubleshooting-plugin-1-7-1-path-traversal-vulnerability?_s_id=cve
Have you had contact with them? Not having seen any update since more than a year made me delete the plugin, but as it is unlikely to be exploited, I have downloaded and installed the plugin again. 🙂
RGDS, Arie
It worries me that they say: “This Plugin was last updated over one year ago and will likely not receive further updates or fixes. Note that deactivating the Plugin does not remove the security threat unless mitigation rule by Patchstack is deployed.”
Please give me confidence!!
For a plugin that ships with WordPress, it seems very odd that it has not been updated in over 2 years, and that its makers still have not addressed this problem.
