WordPress Plugin Vulnerabilities

Easy WP SMTP < 1.5.2 - Admin+ Arbitrary File Deletion

Description

The plugin does not validate some user input used to generate paths, which could allow high privilege users such as admin to delete arbitrary files (even when they should not be able to, for example in multisite) via a traversal attack

Affects Plugins

Plugin icon
easy-wp-smtp
Fixed in 1.5.2

References

CVE
CVE-2022-45829

Classification

Type
FILE DELETION
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Tomasz Staszyszyn
Verified
No
WPVDB ID
2adf2457-707b-4d2e-81d9-d1bf304e52ba

Timeline

Publicly Published
2022-11-30 (about 3 years ago)
Added
2022-12-06 (about 3 years ago)
Last Updated
2022-12-06 (about 3 years ago)

Other

Published
Title
Published
2025-04-18
Title
CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon < 2.5 - Unauthenticated Arbitrary File Read
Published
2025-08-22
Title
Wptobe-memberships <= 3.4.2 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2026-03-20
Title
Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Read
Published
2025-07-30
Title
NinjaScanner < 3.2.6 - Admin+ Arbitrary File Deletion
Published
2025-03-19
Title
Order Export & Order Import for WooCommerce < 2.6.1 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function