CVE-2019-14794
Description
The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.
Affected products
1Patches
Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.
Vulnerability mechanics
Root cause
"The plugin mishandles file uploads to custom folders, allowing path traversal."
Attack vector
An attacker can upload files to arbitrary directories by exploiting a path traversal vulnerability in the file upload functionality. This could allow for the overwriting of existing files or the placement of malicious files on the server. The vulnerability is triggered when the plugin processes file uploads without properly sanitizing directory paths [ref_id=1].
Affected code
The vulnerability is related to the handling of file uploads to custom folders within the Meta Box plugin. The changelog indicates a fix for 'path traversal in ajax_delete_file for security' in version 5.11.2 [ref_id=1].
What the fix does
The patch addresses the path traversal vulnerability by implementing proper sanitization for file paths during uploads. Specifically, the fix ensures that uploaded files are stored only within intended directories and prevents attackers from manipulating paths to access or overwrite files outside of the designated upload folder [ref_id=1].
Preconditions
- inputThe attacker needs to be able to trigger the file upload functionality.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- metabox.io/changelog/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.