Client Portal Pro
Monthly
Arbitrary file download via path traversal in the Client Portal (Pro) WordPress plugin versions 5.6.2 and earlier exposes sensitive server-side files to authenticated low-privilege users. The CWE-22 flaw allows any registered portal user to craft a file request that escapes the intended directory boundary and retrieve arbitrary files accessible to the web server process - including wp-config.php containing database credentials. No public exploit or CISA KEV listing exists at time of analysis, but the high confidentiality impact combined with low attack complexity makes this a meaningful data exposure risk on affected WordPress installations.
Arbitrary file download via path traversal in the Client Portal (Pro) WordPress plugin versions 5.6.2 and earlier exposes sensitive server-side files to authenticated low-privilege users. The CWE-22 flaw allows any registered portal user to craft a file request that escapes the intended directory boundary and retrieve arbitrary files accessible to the web server process - including wp-config.php containing database credentials. No public exploit or CISA KEV listing exists at time of analysis, but the high confidentiality impact combined with low attack complexity makes this a meaningful data exposure risk on affected WordPress installations.