Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network attack (PR:N/AV:N) but AC:H because it needs a fetched nonce plus local key reproduction dependent on the default unset-licence config; read-only so C:H, I:N, A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The AR for WordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.40 via the 'file' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires an attacker to first obtain a valid nonce and secure nonce via the publicly accessible ar_get_fresh_nonce and ar_process_user_image nopriv AJAX handlers, and to reproduce the encryption key locally - both steps are fully achievable by an unauthenticated attacker on any default free or unlicensed installation where ar_licence_key is unset.
Articles & Coverage 1
AnalysisAI
Arbitrary file disclosure in the AR for WordPress plugin (versions up to and including 8.40) lets unauthenticated remote attackers read any file the web server can access via a path-traversal payload in the 'file' parameter of its secure-download handler. Exploitation is gated by a nonce and encryption-key check, but both can be satisfied remotely on default free or unlicensed installations, exposing wp-config.php and other secrets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to run AR for WordPress ≤ 8.40 with the licence key unset (ar_licence_key empty), which is the default state of free and unlicensed installations - this is the specific configuration that makes the download encryption key locally reproducible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) reflects unauthenticated network-based confidentiality loss with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker requests a fresh nonce from the public ar_get_fresh_nonce/ar_process_user_image nopriv AJAX handlers, locally reproduces the encryption key (trivial when ar_licence_key is unset), then calls the secure-download endpoint with a 'file' value like '../../../../wp-config.php' to retrieve database credentials and WordPress salts. No POC is publicly identified, but the Wordfence writeup describes each step, making weaponization straightforward for a moderately skilled attacker. |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - a corrective changeset for the ar-for-wordpress repository is published at https://plugins.trac.wordpress.org/changeset?old=3593272%40ar-for-wordpress&new=3593272%40ar-for-wordpress, so administrators should update to the latest available plugin version above 8.40 as soon as the vendor tags a release incorporating it, and consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/cfa375a8-ab07-45da-bc77-1e7edc996e05) for the confirmed fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress instances for AR for WordPress plugin version 8.40 or earlier and document affected systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41471
GHSA-c67p-rxvq-wp57