CVE-2018-9118 in 99 Robots WP Background Takeover Advertisements Plugin
Summary
by MITRE
exports/download.php in the 99 Robots WP Background Takeover Advertisements plugin before 4.1.5 for WordPress has Directory Traversal via a .. in the filename parameter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/16/2025
The CVE-2018-9118 vulnerability resides within the 99 Robots WP Background Takeover Advertisements plugin for WordPress, specifically in the exports/download.php file. This issue represents a classic directory traversal attack vector that allows malicious actors to access arbitrary files on the server by manipulating the filename parameter through the use of directory traversal sequences such as "..". The vulnerability affects all versions prior to 4.1.5, indicating a prolonged window during which systems remained exposed to potential exploitation. The plugin's functionality for downloading exported files creates an attack surface where user input directly influences file system operations without proper sanitization or validation.
The technical flaw manifests as insufficient input validation within the plugin's download functionality. When a user submits a filename parameter containing directory traversal sequences, the application fails to properly sanitize or restrict the input before processing file system operations. This weakness enables attackers to navigate beyond the intended download directory and access sensitive files such as configuration files, database credentials, or other system files that should remain protected. The vulnerability directly maps to CWE-22, which defines improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The flaw operates by allowing attackers to manipulate the file path through the filename parameter, effectively bypassing normal file access controls and potentially exposing critical system information.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with the capability to access sensitive data that could lead to further compromise of the WordPress installation. An attacker could potentially retrieve wp-config.php, which contains database credentials and cryptographic keys, or access other plugin files that might contain additional vulnerabilities. The attack requires minimal sophistication and can be executed through standard web application penetration testing tools, making it particularly dangerous in environments where WordPress plugins are not regularly updated or monitored for security patches. The vulnerability also aligns with ATT&CK technique T1213.002, which involves data from network repositories, as attackers can leverage this path traversal to access stored credentials and configuration data.
Mitigation strategies for CVE-2018-9118 primarily focus on immediate remediation through plugin updates to version 4.1.5 or later, which contains the necessary input validation fixes. System administrators should also implement additional defensive measures such as restricting file access permissions for the plugin's download directory and implementing web application firewalls that can detect and block directory traversal patterns in URL parameters. Regular security audits of WordPress installations should include checks for outdated plugins and proper input validation across all user-facing interfaces. Organizations should also consider implementing principle of least privilege access controls for file system operations and monitoring for unusual file access patterns that might indicate exploitation attempts. The vulnerability demonstrates the critical importance of keeping WordPress plugins updated and implementing proper input validation as fundamental security controls.