WordPress Plugin Vulnerabilities

WPCode Lite < 2.0.9 - Arbitrary Log File Deletion via CSRF

Description

The plugin has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders

Proof of Concept

Make a logged in user with the wpcode_activate_snippets  capability open the URL below

https://example.com/wp-admin/admin.php?page=wpcode-tools&view=logs&wpcode_action=delete_log&log=../../delete-me.log

This will make them delete the ~/wp-content/delete-me.log

Affects Plugins

Plugin icon
insert-headers-and-footers
Fixed in 2.0.9

References

CVE
CVE-2023-1624

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
132b70e5-4368-43b4-81f6-2d01bc09dc8f

Timeline

Publicly Published
2023-04-03 (about 1 years ago)
Added
2023-04-03 (about 1 years ago)
Last Updated
2023-04-03 (about 1 years ago)

Other

Published
Title
Published
2022-05-18
Title
HC Custom WP-Admin URL <= 1.4 - Unauthenticated Arbitrary Settings Update via CSRF
Published
2023-10-19
Title
AI ChatBot < 4.9.3 - Cross-Site Request Forgery (CSRF)
Published
2023-09-07
Title
EmbedPress < 3.8.4 - Cross-Site Request Forgery
Published
2024-04-11
Title
Email Marketing for WooCommerce by Omnisend < 1.14.4 - Cross-Site Request Forgery
Published
2020-09-26
Title
Customizr < 4.3.1 - Arbitrary Settings Update via CSRF