Skip to main content

Client Portal Pro CVE-2026-40724

| EUVDEUVD-2026-37593 MEDIUM
Path Traversal (CWE-22)
2026-06-17 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

PR:L reflects required authenticated portal account; C:H for arbitrary file read; I:N and A:N as only read access is demonstrated with no write or denial capability.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:53 vuln.today

DescriptionCVE.org

CP Client Arbitrary File Download in Client Portal (Pro) <= 5.6.2 versions.

AnalysisAI

Arbitrary file download via path traversal in the Client Portal (Pro) WordPress plugin versions 5.6.2 and earlier exposes sensitive server-side files to authenticated low-privilege users. The CWE-22 flaw allows any registered portal user to craft a file request that escapes the intended directory boundary and retrieve arbitrary files accessible to the web server process - including wp-config.php containing database credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege portal account
Delivery
Send authenticated HTTP request with traversal payload
Exploit
Plugin fails to canonicalize file path
Execution
Web server reads arbitrary file outside intended directory
Persist
Attacker receives sensitive file contents (e.g., wp-config.php)
Impact
Extract database credentials for further compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated account at the low-privilege level within the Client Portal (Pro) plugin - consistent with CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 score is driven by AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a network-exploitable, low-complexity, low-privilege-authenticated path traversal with high confidentiality impact and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege account on a WordPress site running Client Portal (Pro) 5.6.2 or earlier, then issues an authenticated HTTP request to the plugin's file download endpoint, substituting a traversal payload such as '../../wp-config.php' for the intended document filename. The plugin returns the raw file contents, yielding database hostname, username, and password. …
Remediation Update the Client Portal (Pro) plugin to a version beyond 5.6.2 per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/leco-client-portal/vulnerability/wordpress-client-portal-pro-plugin-5-6-2-arbitrary-file-download-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy