WPCode Lite < 2.0.9 – Arbitrary Log File Deletion via CSRF | CVE 2023-1624 | Plugin Vulnerabilities

Description

The plugin has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders

Proof of Concept

Make a logged in user with the wpcode_activate_snippets  capability open the URL below

https://example.com/wp-admin/admin.php?page=wpcode-tools&view=logs&wpcode_action=delete_log&log=../../delete-me.log

This will make them delete the ~/wp-content/delete-me.log

Affects Plugins

insert-headers-and-footers

Fixed in 2.0.9

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

132b70e5-4368-43b4-81f6-2d01bc09dc8f

Timeline

Publicly Published

2023-04-03 (about 2 years ago)

Added

2023-04-03 (about 2 years ago)

Last Updated

2023-04-03 (about 2 years ago)

Other

Published

Title

Published

2024-08-19

Title

BP Profile Search < 5.8 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Published

2024-11-20

Title

Friendly Functions for Welcart < 1.2.5 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Published

2024-03-28

Title

WP-Eggdrop <= 0.1 - Cross-Site Request Forgery to Settings Update

Published

2025-08-14

Title

Build App Online <= 1.0.23 - Cross-Site Request Forgery

Published

2025-04-09

Title

WP Show Stats <= 1.5 - Cross-Site Request Forgery