| CVE | CVE-2022-2557 |
|---|---|
| CVSS | High (7.5) |
| Publicly Published | July 29, 2022 |
| Last Updated | January 22, 2024 |
| Researcher |
Nhật Nam
|
The Team - WordPress Team Member Showcase Plugin for WordPress is vulnerable to directory traversal via the 'resources/download.php' file. This allows authenticated attackers to download a copy of any file on the server, and then delete the original from the server, granted the 'wp-content/plugins/tlp-team/temp' folder exists. This folder is not currently generated by default in the free version of the plugin, but in cases where it exists it is possible for an attacker to completely take over a site by deleting wp-config.php and reinstalling WordPress, while simultaneously obtaining credentials to the existing database.
References| Software Type | Plugin |
|---|---|
| Software Slug | tlp-team (view on wordpress.org) |
| Patched? | Yes |
| Affected Version |
|
| Patched Version |
|
Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy.
License Detail.