WordPress Plugin Vulnerabilities

Ads by datafeedr.com < 1.2.0 - Unauthenticated Remote Code Execution

Description

The plugin does not adequately secure the 'dfads_ajax_load_ads' function, leading to a potential Remote Code Execution (RCE) vulnerability.

Affects Plugins

Plugin icon
ads-by-datafeedrcom
Fixed in 1.2.0

References

CVE
CVE-2023-5843
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5412fd87-49bc-445c-8d16-443e38933d1e

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.0 (critical)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
021a7f72-7daf-4d9b-b44e-0f80a519ed0d

Timeline

Publicly Published
2023-10-30 (about 2 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-15 (about 2 years ago)

Other

Published
Title
Published
2020-04-19
Title
Media Library Assistant < 2.82 - Authenticated RCE
Published
2025-06-23
Title
Content No Cache < 0.1.5 - Unauthenticated Arbitrary Function Call
Published
2025-02-12
Title
Avada Theme < 7.11.14 - Unauthenticated Arbitrary Shortcode Execution
Published
2023-09-05
Title
Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution
Published
2026-02-17
Title
Product Addons for Woocommerce – Product Options with Custom Fields < 3.1.1 - Authenticated (Shop Manager+) Code Injection via Conditional Logic 'operator' Parameter