CVE-2019-15822
Description
The wps-child-theme-generator plugin before 1.2 for WordPress has classes/helpers.php directory traversal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/wps-child-theme-generatordescription
- Range: <1.2
Patches
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize user-supplied input for file paths, allowing directory traversal."
Attack vector
An attacker can exploit this vulnerability by sending a crafted filename containing directory traversal sequences, such as '../../wp-config.php%00'. The null byte (%00) at the end of the payload is ignored by PHP, allowing the traversal to succeed. This could result in the creation of a file named 'wp-config.php' at the website's root directory [ref_id=1].
Affected code
The vulnerability exists in the file classes/helpers.php within the wps-child-theme-generator plugin. The issue stems from insufficient validation of input patterns, which are not enough to protect the PHP side from receiving incorrect values [ref_id=1].
What the fix does
The vulnerability has been patched in version 1.2 of the plugin. The advisory does not specify the exact code changes, but the fix addresses the improper validation of input in the file handling process, preventing directory traversal attacks [ref_id=1].
Preconditions
- inputThe plugin must be installed and active.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- secupress.me/blog/wps-child-theme-generator-v1-1-multiples-vulnerabilities/mitrex_refsource_MISC
- wordpress.org/plugins/wps-child-theme-generator/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9470mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.