Security readout for executives and security teams
Plain-English summary
CVE-2014-9014 affects the WP Marketplace WordPress plugin before 2.4.1. An authenticated remote user could abuse a directory traversal flaw to download arbitrary files from the server. This may expose sensitive configuration or application data, but the supplied sources do not show active exploitation.
Executive priority
Treat this as a targeted legacy WordPress exposure issue. Prioritize internet-facing sites with the plugin installed and broad user registration or shared accounts.
Technical view
The flaw is in the ajaxinit function in wpmarketplace/libs/cart.php. The file parameter was not constrained against dot-dot path traversal, allowing authenticated users to request files outside the intended directory. The CVE record names versions before 2.4.1 as affected.
Likely exposure
Exposure is most likely on WordPress sites running WP Marketplace before version 2.4.1, especially where untrusted or low-privilege users can authenticate.
Exploitation context
The CVE requires remote authenticated access. A public Exploit-DB reference exists, but the bundle does not establish active exploitation, CISA KEV listing, or unauthenticated exploitation.
Researcher notes
The source bundle lacks CVSS, CWE, detailed patch notes, and confirmed affected CPEs. Analysis is grounded in the CVE description and public references only; no exploit procedure is included.
Mitigation direction
- Inventory WordPress sites for the WP Marketplace plugin.
- Upgrade WP Marketplace to 2.4.1 or later where available.
- If upgrade status is unclear, check vendor or maintainer guidance.
- Restrict or remove untrusted WordPress user accounts.
- Review server logs for suspicious file download requests.
Validation and detection
- Confirm installed WP Marketplace plugin version on each WordPress site.
- Identify whether any site runs a version before 2.4.1.
- Review user roles with authentication access to affected sites.
- Check web logs for traversal patterns in plugin-related requests.
- Verify file permissions limit WordPress access to sensitive files.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
File access behavior lookup
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2014-9014 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.htmlCVE reference · x_refsource_MISC
- https://www.exploit-db.com/exploits/36466/CVE reference · x_refsource_MISC
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
