CVE-2019-25727
Arbitrary File Download in WordPress Plugin Ad Manager WD 1.0.11
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wd | ad_manager | 1.0.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WordPress Plugin ad manager wd version 1.0.11 contains an arbitrary file download vulnerability. This flaw allows unauthenticated attackers to download sensitive files by manipulating the 'path' parameter in a GET request to the 'edit.php' endpoint with 'export=export_csv'. By crafting a malicious URL, attackers can read and download files such as the WordPress configuration file (wp-config.php) that are accessible to the web server.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to download sensitive files without authentication. Access to files like wp-config.php can expose database credentials and other critical configuration details, potentially leading to full site compromise, data breaches, and unauthorized access to the WordPress installation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access sensitive files through crafted GET requests targeting the vulnerable endpoint.
A typical command to test for this vulnerability involves sending a GET request to the edit.php endpoint with the parameters export=export_csv and a malicious path parameter pointing to a sensitive file such as wp-config.php.
For example, using curl from a terminal, you can run:
- curl -i "http://<target-site>/wp-admin/edit.php?post_type=wd_ads_ads&export=export_csv&path=../wp-config.php"
If the response contains contents of the wp-config.php file or other sensitive files, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Disable or remove the vulnerable WordPress Plugin ad manager wd version 1.0.11 or earlier.
- Restrict access to the wp-admin/edit.php endpoint or implement web application firewall (WAF) rules to block requests containing the export=export_csv parameter combined with suspicious path parameters.
- Update the plugin to a patched version if available.
- Review web server logs for suspicious GET requests targeting the vulnerable parameters and block offending IP addresses.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to download sensitive files such as wp-config.php by exploiting an arbitrary file download flaw in the WordPress Plugin ad manager wd 1.0.11.
Access to sensitive files could lead to exposure of confidential information, which may result in non-compliance with data protection regulations such as GDPR or HIPAA that require safeguarding personal and sensitive data.
Organizations using the affected plugin could face risks related to unauthorized data disclosure, potentially violating regulatory requirements for data confidentiality and security.