Medium severity6.3NVD Advisory· Published Jan 5, 2017· Updated May 6, 2026
CVE-2016-7169
CVE-2016-7169
Description
Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.
Affected products
1- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*Range: <=4.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- codex.wordpress.org/Version_4.6.1nvdPatch
- github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6envdPatch
- wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/nvdPatchVendor Advisory
- www.debian.org/security/2016/dsa-3681nvd
- www.securityfocus.com/bid/92841nvd
- wpvulndb.com/vulnerabilities/8616nvd
News mentions
0No linked articles in our index yet.