WordPress Plugin Vulnerabilities

WP Mail Log < 1.1.3 – Contributor+ Arbitrary File Upload to RCE

Description

The plugin does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution.

Proof of Concept

Affects Plugins

Plugin icon
wp-mail-log
Fixed in 1.1.3

References

CVE
CVE-2023-5673

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
231f72bf-9ad0-417e-b7a0-3555875749e9

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-11-28 (about 2 years ago)
Last Updated
2023-11-28 (about 2 years ago)

Other

Published
Title
Published
2017-03-07
Title
WordPress Mobile app Builder 1.05 - Unauthenticated File Upload
Published
2014-08-01
Title
HTML5 AV Manager 0.2.7 - Arbitrary File Upload
Published
2024-10-14
Title
Digital Lottery <= 3.0.5 - Unauthenticated Arbitrary File Upload
Published
2012-06-05
Title
Member Private Conversation < 1.4 - Unrestricted File Upload
Published
2018-12-24
Title
Baggage Freight Shipping Australia 0.1.0 - Unauthenticated Arbitrary File Upload