WordPress Plugin Vulnerabilities

WP-DBManager < 2.80.8 - Admin+ Remote Command Execution

Description

The plugin does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should.

Proof of Concept

Affects Plugins

Plugin icon
wp-dbmanager
Fixed in 2.80.8

References

CVE
CVE-2022-2354

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
raadfhaddad
Verified
Yes
WPVDB ID
1c8c5861-ce87-4813-9e26-470d63c1903a

Timeline

Publicly Published
2022-07-25 (about 3 years ago)
Added
2022-07-25 (about 3 years ago)
Last Updated
2022-08-25 (about 3 years ago)

Other

Published
Title
Published
2024-12-05
Title
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup < 4.0.52 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2024-05-03
Title
WordPress Meta Data and Taxonomies Filter (MDTF) < 1.3.3.3 - Unauthenticated Arbitrary Shortcode Execution
Published
2025-12-11
Title
WPMasterToolKit (WPMTK) < 2.13.1 - Authenticated (Contributor+) Code Injection
Published
2014-08-01
Title
Kernel Theme - functions/upload-h&ler.php File Upload Remote Code Execution
Published
2025-04-23
Title
Verification SMS with TargetSMS <= 1.5 - Unauthenticated Limited Remote Code Execution