Report
The User Meta WordPress plugin before 2.4.4 does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads
Score:4.3
Severity:Medium
Version: 2.4.3
There is a patch available in v2.4.4 and we strongly recommend you update to this version as soon as possible.
