WordPress Plugin Vulnerabilities

Dropbox Folder Share <= 1.9.7 - Unauthenticated Remote Code Execution via LFI

Description

The plugin does not validate the path and name of a file before including it, allowing unauthenticated visitors to include and execute arbitrary php files on the server, leading to remote code execution.

Affects Plugins

Plugin icon
dropbox-folder-share
No known fix

References

CVE
CVE-2023-4488
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/dropbox-folder-share/dropbox-folder-share-197-unauthenticated-local-file-inclusion

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
3430c642-7151-422c-abae-98bea04c5744

Timeline

Publicly Published
2023-09-12 (about 2 years ago)
Added
2023-10-27 (about 2 years ago)
Last Updated
2023-10-27 (about 2 years ago)

Other

Published
Title
Published
2025-07-23
Title
hiWeb Export Posts <= 0.9.0.0 - Cross-Site Request Forgery to Arbitrary File Deletion
Published
2024-10-10
Title
WordPress Comments Import & Export < 2.3.9 - Authenticated (Author+) Arbitrary File Read via Directory Traversal
Published
2025-06-13
Title
Restrict File Access <= 1.1.2 - Authenticated (Subscriber+) Arbitrary File Read
Published
2025-07-22
Title
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor < 1.27.9 - Authenticated (Contributor+) Path Traversal
Published
2025-04-16
Title
WP Editor < 1.2.9.2 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Read