Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. NOTE: some of these details are obtained from third party information.

Several vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-6762     It was discovered that wordpress is prone to an open     redirect vulnerability which allows remote attackers to     conduct phishing attacks.

  - CVE-2008-6767     It was discovered that remote attackers had the ability     to trigger an application upgrade, which could lead to a     denial of service attack.

  - CVE-2009-2334     It was discovered that wordpress lacks authentication     checks in the plugin configuration, which might leak     sensitive information.

  - CVE-2009-2854     It was discovered that wordpress lacks authentication     checks in various actions, thus allowing remote     attackers to produce unauthorised edits or additions.

  - CVE-2009-2851     It was discovered that the administrator interface is     prone to a cross-site scripting attack.

  - CVE-2009-2853     It was discovered that remote attackers can gain     privileges via certain direct requests.

  - CVE-2008-1502     It was discovered that the _bad_protocol_once function     in KSES, as used by wordpress, allows remote attackers     to perform cross-site scripting attacks.

  - CVE-2008-4106     It was discovered that wordpress lacks certain checks     around user information, which could be used by     attackers to change the password of a user.

  - CVE-2008-4769     It was discovered that the get_category_template     function is prone to a directory traversal     vulnerability, which could lead to the execution of     arbitrary code.

  - CVE-2008-4796     It was discovered that the _httpsrequest function in the     embedded snoopy version is prone to the execution of     arbitrary commands via shell metacharacters in https     URLs.

  - CVE-2008-5113     It was discovered that wordpress relies on the REQUEST     superglobal array in certain dangerous situations, which     makes it easier to perform attacks via crafted cookies.

The version of WordPress installed on the remote host fails to sanitize user input to the 'cat' parameter of the 'index.php' script.
Regardless of PHP's 'register_globals' setting, an unauthenticated attacker can exploit this issue to view arbitrary files or to execute arbitrary PHP code on the remote host, subject to the privileges under which the web server operates.

The version of WordPress installed on the remote host is vulnerable to a directory traversal attack.  An attacker exploiting this flaw would send malformed data to the 'cat' parameter of the 'index.php' script.  Successful exploitation would result in the attacker gaining access to confidential files on the target server.

ID	Name	Product	Family	Severity
44736	Debian DSA-1871-1 : wordpress - several vulnerabilities	Nessus	Debian Local Security Checks	critical
32080	WordPress index.php 'cat' Parameter Local File Inclusion	Nessus	CGI abuses	medium
4482	WordPress <= 2.3.3 'index.php' Arbitrary File Access	Nessus Network Monitor	CGI	medium

Detections

Analytics

CVE-2008-4769

critical

Tenable Plugins

critical

medium

medium