Skip to main content

Ar For Wordpress

1 CVEs product

Monthly

CVE-2026-14327 HIGH This Week

Arbitrary file disclosure in the AR for WordPress plugin (versions up to and including 8.40) lets unauthenticated remote attackers read any file the web server can access via a path-traversal payload in the 'file' parameter of its secure-download handler. Exploitation is gated by a nonce and encryption-key check, but both can be satisfied remotely on default free or unlicensed installations, exposing wp-config.php and other secrets. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the vendor (Wordfence) documents the full unauthenticated bypass path.

WordPress Path Traversal Ar For Wordpress
NVD
CVSS 3.1
7.5
EPSS
0.5%
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the AR for WordPress plugin (versions up to and including 8.40) lets unauthenticated remote attackers read any file the web server can access via a path-traversal payload in the 'file' parameter of its secure-download handler. Exploitation is gated by a nonce and encryption-key check, but both can be satisfied remotely on default free or unlicensed installations, exposing wp-config.php and other secrets. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the vendor (Wordfence) documents the full unauthenticated bypass path.

WordPress Path Traversal Ar For Wordpress
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy