Skip to main content

Client Portal Pro

1 CVEs product

Monthly

CVE-2026-40724 MEDIUM This Month

Arbitrary file download via path traversal in the Client Portal (Pro) WordPress plugin versions 5.6.2 and earlier exposes sensitive server-side files to authenticated low-privilege users. The CWE-22 flaw allows any registered portal user to craft a file request that escapes the intended directory boundary and retrieve arbitrary files accessible to the web server process - including wp-config.php containing database credentials. No public exploit or CISA KEV listing exists at time of analysis, but the high confidentiality impact combined with low attack complexity makes this a meaningful data exposure risk on affected WordPress installations.

Path Traversal Client Portal Pro
NVD
CVSS 3.1
6.5
EPSS
0.4%
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file download via path traversal in the Client Portal (Pro) WordPress plugin versions 5.6.2 and earlier exposes sensitive server-side files to authenticated low-privilege users. The CWE-22 flaw allows any registered portal user to craft a file request that escapes the intended directory boundary and retrieve arbitrary files accessible to the web server process - including wp-config.php containing database credentials. No public exploit or CISA KEV listing exists at time of analysis, but the high confidentiality impact combined with low attack complexity makes this a meaningful data exposure risk on affected WordPress installations.

Path Traversal Client Portal Pro
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy