CVE-2017-11658

Name: CVE-2017-11658
Creator: NVD / NIST
Published: 2017-07-26T15:29:00.25+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 3.33%

Last modified Jun 17, 2026

CVE-2017-11658 is a vulnerability of currently unknown severity. In the WP Rocket plugin 2.9.3 for WordPress, the Local File Inclusion mitigation technique is to trim traversal characters (..) -- however, this is insufficient to stop remote attacks and can be bypassed by using 0x00 bytes, as demonstrated by a .%00.../.%00.../ attack.. EPSS estimates a 3.33% chance of exploitation in the next 30 days.

Description

In the WP Rocket plugin 2.9.3 for WordPress, the Local File Inclusion mitigation technique is to trim traversal characters (..) -- however, this is insufficient to stop remote attacks and can be bypassed by using 0x00 bytes, as demonstrated by a .%00.../.%00.../ attack.

Metrics

EPSS Probability

3.33%

87.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-22

Affected Software

Vendor	Product	Versions
Wp-Rocket	Wp-Rocket	1.3.0
Wp-Rocket	Wp-Rocket	1.3.1
Wp-Rocket	Wp-Rocket	1.3.2
Wp-Rocket	Wp-Rocket	1.3.3
Wp-Rocket	Wp-Rocket	1.3.4
Wp-Rocket	Wp-Rocket	1.3.5
Wp-Rocket	Wp-Rocket	1.3.6
Wp-Rocket	Wp-Rocket	1.3.7
Wp-Rocket	Wp-Rocket	2.0.0
Wp-Rocket	Wp-Rocket	2.0.1
Wp-Rocket	Wp-Rocket	2.0.2
Wp-Rocket	Wp-Rocket	2.0.3
Wp-Rocket	Wp-Rocket	2.0.4
Wp-Rocket	Wp-Rocket	2.0.5
Wp-Rocket	Wp-Rocket	2.1.0
Wp-Rocket	Wp-Rocket	2.1.1
Wp-Rocket	Wp-Rocket	2.2.0
Wp-Rocket	Wp-Rocket	2.2.1
Wp-Rocket	Wp-Rocket	2.2.2
Wp-Rocket	Wp-Rocket	2.2.3
Wp-Rocket	Wp-Rocket	2.3.0
Wp-Rocket	Wp-Rocket	2.3.1
Wp-Rocket	Wp-Rocket	2.3.2
Wp-Rocket	Wp-Rocket	2.3.3
Wp-Rocket	Wp-Rocket	2.3.4
Wp-Rocket	Wp-Rocket	2.3.5
Wp-Rocket	Wp-Rocket	2.3.6
Wp-Rocket	Wp-Rocket	2.3.7
Wp-Rocket	Wp-Rocket	2.3.8
Wp-Rocket	Wp-Rocket	2.3.9
Wp-Rocket	Wp-Rocket	2.3.10
Wp-Rocket	Wp-Rocket	2.3.11
Wp-Rocket	Wp-Rocket	2.4.0
Wp-Rocket	Wp-Rocket	2.4.1
Wp-Rocket	Wp-Rocket	2.4.2
Wp-Rocket	Wp-Rocket	2.5.0
Wp-Rocket	Wp-Rocket	2.5.1
Wp-Rocket	Wp-Rocket	2.5.2
Wp-Rocket	Wp-Rocket	2.5.3
Wp-Rocket	Wp-Rocket	2.5.4
Wp-Rocket	Wp-Rocket	2.5.5
Wp-Rocket	Wp-Rocket	2.5.6
Wp-Rocket	Wp-Rocket	2.5.7
Wp-Rocket	Wp-Rocket	2.5.8
Wp-Rocket	Wp-Rocket	2.5.9
Wp-Rocket	Wp-Rocket	2.5.10
Wp-Rocket	Wp-Rocket	2.5.11
Wp-Rocket	Wp-Rocket	2.5.12
Wp-Rocket	Wp-Rocket	2.6.0
Wp-Rocket	Wp-Rocket	2.6.1.1

Showing 50 of 110 affected configurations. See NVD for the full list.

References

https://gist.github.com/Shinkurt/157dbb3767c9489f3d754f79b183a890Exploit, Third Party Advisory
https://wp-rocket.me/changelogRelease Notes, Vendor Advisory
https://wpvulndb.com/vulnerabilities/8872Third Party Advisory, VDB Entry
https://gist.github.com/Shinkurt/157dbb3767c9489f3d754f79b183a890Exploit, Third Party Advisory
https://wp-rocket.me/changelogRelease Notes, Vendor Advisory
https://wpvulndb.com/vulnerabilities/8872Third Party Advisory, VDB Entry

Timeline

Published: Jul 26, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-11658?

How severe is CVE-2017-11658?

Severity scoring for CVE-2017-11658 is pending analysis. The EPSS model estimates a 3.33% probability of exploitation in the next 30 days.

How do I fix CVE-2017-11658?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-11658?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST