vulnerability

WordPress Plugin: wp-rocket: CVE-2017-11658: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:P/I:N/A:N)	Jun 22, 2017	May 15, 2025	May 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

Jun 22, 2017

Added

May 15, 2025

Modified

May 15, 2025

Description

In the WP Rocket plugin 2.10.3 for WordPress, the Local File Inclusion mitigation technique is to trim traversal characters (..) -- however, this is insufficient to stop remote attacks and can be bypassed by using 0x00 bytes, as demonstrated by a .%00.../.%00.../ attack.

Solution

wp-rocket-plugin-cve-2017-11658

References

URL-https://www.cve.org/CVERecord?id=CVE-2017-11658
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/9167e4bd-74be-46c9-b06e-566c13c02c7d?source=api-prod
CVE-2017-11658
https://attackerkb.com/topics/CVE-2017-11658

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today