What the vulnerability does
01Description
The AR for WordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.40 via the 'file' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires an attacker to first obtain a valid nonce and secure nonce via the publicly accessible ar_get_fresh_nonce and ar_process_user_image nopriv AJAX handlers, and to reproduce the encryption key locally — both steps are fully achievable by an unauthenticated attacker on any default free or unlicensed installation where ar_licence_key is unset.
Explanation of Vulnerability in Simple Terms
02Summary
The AR for WordPress plugin versions 8.40 and earlier contain a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files from the server. An attacker can access sensitive files such as configuration files, database credentials, and other protected data without needing to log in or interact with a user. This vulnerability affects all installations of the plugin up to version 8.40.
What an attacker can do
03Attacker Capabilities
Read arbitrary files from the server, including configuration and credential files.
Potential impact on your site
04Site Impact
Sensitive server files and credentials may be exposed to unauthorized access.
Conditions required to exploit
05Prerequisites
Network access to the WordPress site; no authentication or user interaction required.
Key dates
06Disclosure timeline
July 3, 2026
CVE published