What the vulnerability does
01Description
WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the open parameter. Attackers can supply file paths through the open GET parameter in dispatcher.php to include and read sensitive files accessible to the web server.
Explanation of Vulnerability in Simple Terms
02Summary
Amministrazione-aperta versions 3.7.3 and earlier contain a path traversal vulnerability that allows local attackers to read files outside the intended directory. The vulnerability requires local system access but no authentication or user interaction. An attacker with local access can traverse the file system to access sensitive configuration files or other restricted data.
What an attacker can do
03Attacker Capabilities
Read arbitrary files on the server outside the application's intended directory.
Potential impact on your site
04Site Impact
Sensitive files (config, database credentials, private keys) may be exposed to anyone with local server access.
Conditions required to exploit
05Prerequisites
Local access to the server; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 10, 2026
CVE published
May 11, 2026
Record updated