Launchpad.net

CVE 2016-10929

The advanced-ajax-page-loader plugin before 2.7.7 for WordPress has no protection against the reading of uploaded files when not logged in.

See the CVE page on Mitre.org for more details.

References