{"id":"UBUNTU-CVE-2024-32111","details":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40.","modified":"2025-10-24T05:09:10Z","published":"2024-06-25T14:15:00Z","upstream":["CVE-2024-32111"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-32111"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-32111"},{"type":"REPORT","url":"https://wordpress.org/news/2024/06/wordpress-6-5-5/"},{"type":"REPORT","url":"https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-5-5-contributor-arbitrary-html-file-read-windows-only-vulnerability?_s_id=cve"}],"affected":[{"package":{"name":"wordpress","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/wordpress@4.4.2+dfsg-1ubuntu1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.3+dfsg-1","4.3.1+dfsg-1","4.4+dfsg-1","4.4.1+dfsg-1","4.4.2+dfsg-1","4.4.2+dfsg-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"4.4.2+dfsg-1ubuntu1","binary_name":"wordpress"},{"binary_version":"4.4.2+dfsg-1ubuntu1","binary_name":"wordpress-l10n"},{"binary_version":"4.4.2+dfsg-1ubuntu1","binary_name":"wordpress-theme-twentyfifteen"},{"binary_version":"4.4.2+dfsg-1ubuntu1","binary_name":"wordpress-theme-twentyfourteen"},{"binary_version":"4.4.2+dfsg-1ubuntu1","binary_name":"wordpress-theme-twentysixteen"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-32111.json"}},{"package":{"name":"wordpress","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/wordpress@4.9.5+dfsg1-1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.8.2+dfsg-2","4.8.3+dfsg-1","4.9.1+dfsg-1","4.9.2+dfsg-1","4.9.4+dfsg-1","4.9.5+dfsg1-1"],"ecosystem_specific":{"binaries":[{"binary_version":"4.9.5+dfsg1-1","binary_name":"wordpress"},{"binary_version":"4.9.5+dfsg1-1","binary_name":"wordpress-l10n"},{"binary_version":"4.9.5+dfsg1-1","binary_name":"wordpress-theme-twentyfifteen"},{"binary_version":"4.9.5+dfsg1-1","binary_name":"wordpress-theme-twentyseventeen"},{"binary_version":"4.9.5+dfsg1-1","binary_name":"wordpress-theme-twentysixteen"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-32111.json"}},{"package":{"name":"wordpress","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/wordpress@5.3.2+dfsg1-1ubuntu1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.2.2+dfsg1-1","5.2.4+dfsg1-1","5.3.2+dfsg1-1","5.3.2+dfsg1-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.3.2+dfsg1-1ubuntu1","binary_name":"wordpress"},{"binary_version":"5.3.2+dfsg1-1ubuntu1","binary_name":"wordpress-l10n"},{"binary_version":"5.3.2+dfsg1-1ubuntu1","binary_name":"wordpress-theme-twentynineteen"},{"binary_version":"5.3.2+dfsg1-1ubuntu1","binary_name":"wordpress-theme-twentyseventeen"},{"binary_version":"5.3.2+dfsg1-1ubuntu1","binary_name":"wordpress-theme-twentysixteen"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-32111.json"}},{"package":{"name":"wordpress","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/wordpress@5.8.3+dfsg1-1ubuntu1.1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.7.1+dfsg1-2ubuntu1","5.8.1+dfsg1-2ubuntu1","5.8.2+dfsg1-1ubuntu1","5.8.3+dfsg1-1ubuntu1","5.8.3+dfsg1-1ubuntu1.1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.8.3+dfsg1-1ubuntu1.1","binary_name":"wordpress"},{"binary_version":"5.8.3+dfsg1-1ubuntu1.1","binary_name":"wordpress-l10n"},{"binary_version":"5.8.3+dfsg1-1ubuntu1.1","binary_name":"wordpress-theme-twentynineteen"},{"binary_version":"5.8.3+dfsg1-1ubuntu1.1","binary_name":"wordpress-theme-twentytwenty"},{"binary_version":"5.8.3+dfsg1-1ubuntu1.1","binary_name":"wordpress-theme-twentytwentyone"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-32111.json"}},{"package":{"name":"wordpress","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/wordpress@6.4.3+dfsg1-1ubuntu1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.2+dfsg1-1ubuntu1","6.4.3+dfsg1-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"6.4.3+dfsg1-1ubuntu1","binary_name":"wordpress"},{"binary_version":"6.4.3+dfsg1-1ubuntu1","binary_name":"wordpress-l10n"},{"binary_version":"6.4.3+dfsg1-1ubuntu1","binary_name":"wordpress-theme-twentytwentyfour"},{"binary_version":"6.4.3+dfsg1-1ubuntu1","binary_name":"wordpress-theme-twentytwentythree"},{"binary_version":"6.4.3+dfsg1-1ubuntu1","binary_name":"wordpress-theme-twentytwentytwo"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-32111.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}]}