JVM rich text icons < 1.2.4 – Subscriber+ Arbitrary File Upload | CVE 2023-51417 | Plugin Vulnerabilities

Description

The JVM Gutenberg Rich Text Icons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload_icon' function in all versions up to and including 1.2.3. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

jvm-rich-text-icons

Fixed in 1.2.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ca064db0-2718-4521-9467-335b59208858

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

215d49a1-6879-4a0c-8490-e8456745aa3d

Timeline

Publicly Published

2023-12-27 (about 2 years ago)

Added

2024-01-03 (about 2 years ago)

Last Updated

2024-01-03 (about 2 years ago)

Other

Published

Title

Published

2024-10-04

Title

Hash Form - Drag & Drop Form Builder < 1.2.0 - Unauthenticated Limited File Upload

Published

2025-08-15

Title

School Management System <= 93.2.0 - Authenticated (Student+) Arbitrary File Upload

Published

2023-12-29

Title

WP All Import < 3.7.3 - Admin+ Arbitrary File Upload to RCE

Published

2026-02-18

Title

Checkout Field Manager (Checkout Manager) for WooCommerce < 7.8.2 - Unauthenticated Limited File Upload

Published

2024-10-21

Title

INK Official <= 4.1.2 - Authenticated (Contributor+) Arbitrary File Upload