WordPress Plugin Vulnerabilities

Symbiostock Lite <= 6.0.0 - Authenticated (Shop Manager+) Arbitrary File Upload

Description

The Symbiostock – Sell Photos Online For Free! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.0.0. This makes it possible for authenticated attackers, with shop manager-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
symbiostock
No known fix

References

CVE
CVE-2023-49814
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/666b8b39-fab0-4e99-b365-a4ac9f964494

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
1a4556d0-b3b7-4621-9dc4-f99ccd5d1fb4

Timeline

Publicly Published
2023-12-05 (about 2 years ago)
Added
2023-12-09 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-11-13
Title
CF7 Reply Manager <= 1.2.3 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2024-10-17
Title
WP Dropbox Dropins <= 1.0 - Unauthenticated Arbitrary File Upload
Published
2025-08-04
Title
WP Import Export Lite < 3.9.30 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2014-08-01
Title
chikuncount - ofc_upload_image.php Arbitrary File Upload
Published
2020-04-02
Title
Art-Picture-Gallery <= 1.2.9 - Unauthenticated Arbitrary File Upload