CVE-2021-24154

CVE-2021-24154: Theme Editor < 2.6 - Authenticated Arbitrary File Download

Vendor Unknown

Product Theme Editor

Weakness CWE-552 · Files accessible externally

Published April 5, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd

Key dates

02Disclosure timeline

April 5, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24154

Related vulnerabilities

04Related CVE

CVE-2022-1585 Project Source Code Download <= 1.0.0 - Unauthenticated Backup Download CVE-2021-1361 Cisco NX-OS Software Unauthenticated Arbitrary File Actions Vulnerability CVE-2023-34316 Delta Electronics InfraSuite Device Master Improper Access Control CVE-2025-43758 CVE-2023-1246 Files or Directories Accessible to External Parties in Saysis Starcities