Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in icopydoc YML for Yandex Market yml-for-yandex-market allows Path Traversal.This issue affects YML for Yandex Market: from n/a through < 5.3.0.
AnalysisAI
YML for Yandex Market versions prior to 5.3.0 contain a path traversal vulnerability that allows high-privileged attackers to access files outside restricted directories without user interaction. This vulnerability could enable unauthorized disclosure of sensitive information across the system. Currently, no patch is available and exploitation appears unlikely in the wild.
Technical ContextAI
The vulnerability resides in the icopydoc YML for Yandex Market WordPress plugin (CPE: cpe:2.3:a:icopydoc:yml_for_yandex_market:*:*:*:*:*:*:*:*), a tool designed to generate Yandex Market product feed files in YML format. The root cause is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), which occurs when the plugin fails to properly validate and sanitize file path inputs. This allows an attacker to use path traversal sequences (such as ../ or absolute paths) to escape the intended directory boundary and access arbitrary files on the server's filesystem. The vulnerability likely exists in file handling or configuration loading routines that do not implement proper input validation.
RemediationAI
Immediately upgrade the YML for Yandex Market plugin to version 5.3.0 or later, which patches the path traversal vulnerability. This is the primary and recommended fix. Administrators should verify the update through the WordPress plugin repository or directly from the vendor. As an interim measure before patching is feasible, restrict administrative access to the plugin settings to only trusted users, implement Web Application Firewall (WAF) rules to detect and block path traversal patterns (../), and consider disabling the plugin if it is not actively in use. Review server access logs for suspicious file access patterns that may indicate exploitation attempts. Refer to the Patchstack security advisory for vendor guidance and any additional context on the vulnerability.
More in Yml For Yandex Market
View allThe YML for Yandex Market plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the feed_id parameter
The YML for Yandex Market plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15929