Skip to main content

AR for WordPress EUVDEUVD-2026-41471

| CVE-2026-14327 HIGH
Path Traversal (CWE-22)
2026-07-03 Wordfence GHSA-c67p-rxvq-wp57
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Unauthenticated network attack (PR:N/AV:N) but AC:H because it needs a fetched nonce plus local key reproduction dependent on the default unset-licence config; read-only so C:H, I:N, A:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 01:58 vuln.today
CVE Published
Jul 03, 2026 - 01:28 cve.org
HIGH 7.5

DescriptionCVE.org

The AR for WordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.40 via the 'file' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires an attacker to first obtain a valid nonce and secure nonce via the publicly accessible ar_get_fresh_nonce and ar_process_user_image nopriv AJAX handlers, and to reproduce the encryption key locally - both steps are fully achievable by an unauthenticated attacker on any default free or unlicensed installation where ar_licence_key is unset.

AnalysisAI

Arbitrary file disclosure in the AR for WordPress plugin (versions up to and including 8.40) lets unauthenticated remote attackers read any file the web server can access via a path-traversal payload in the 'file' parameter of its secure-download handler. Exploitation is gated by a nonce and encryption-key check, but both can be satisfied remotely on default free or unlicensed installations, exposing wp-config.php and other secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Request fresh nonce from nopriv AJAX handler
Delivery
Reproduce encryption key locally (default config)
Exploit
Craft 'file' parameter with ../ traversal
Execution
Call secure-download endpoint
Impact
Read wp-config.php and secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to run AR for WordPress ≤ 8.40 with the licence key unset (ar_licence_key empty), which is the default state of free and unlicensed installations - this is the specific configuration that makes the download encryption key locally reproducible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) reflects unauthenticated network-based confidentiality loss with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker requests a fresh nonce from the public ar_get_fresh_nonce/ar_process_user_image nopriv AJAX handlers, locally reproduces the encryption key (trivial when ar_licence_key is unset), then calls the secure-download endpoint with a 'file' value like '../../../../wp-config.php' to retrieve database credentials and WordPress salts. No POC is publicly identified, but the Wordfence writeup describes each step, making weaponization straightforward for a moderately skilled attacker.
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - a corrective changeset for the ar-for-wordpress repository is published at https://plugins.trac.wordpress.org/changeset?old=3593272%40ar-for-wordpress&new=3593272%40ar-for-wordpress, so administrators should update to the latest available plugin version above 8.40 as soon as the vendor tags a release incorporating it, and consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/cfa375a8-ab07-45da-bc77-1e7edc996e05) for the confirmed fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress instances for AR for WordPress plugin version 8.40 or earlier and document affected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy