Volerion logoVolerion
Volerion logoVolerion

EUCookieLaw WordPress Plugin Arbitrary File Read Vulnerability

Vulnerability

A vulnerability allowing arbitrary file read has been identified in the EUCookieLaw plugin for WordPress, affecting all versions through 2.7.2. The issue arises from the 'file_get_contents' function, which can be exploited by unauthenticated attackers to read sensitive information from arbitrary files on the server. This vulnerability is only exploitable if a caching plugin, such as W3 Total Cache, is installed and active.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files on the server, which could include sensitive information.

Reproduction

To reproduce this vulnerability, install the EUCookieLaw WordPress plugin version 2.7.2 or earlier, and activate a caching plugin like W3 Total Cache. The vulnerability can then be exploited by sending a request that includes the 'p' parameter with a value that specifies the path of the file to be read. The 'file_get_contents' function will be used to retrieve the contents of the specified file, which will be returned in the response.

Remediation

Users are advised to update the EUCookieLaw WordPress plugin to version 2.7.3 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
3.3
exploitability
7.4
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.