Quttera Web Malware Scanner < 3.4.2.1 – Directory Listing to Sensitive Data Exposure | CVE 2023-6065

Description

The plugin doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code

Proof of Concept

http://your_site/wordpress/wp-content/plugins/quttera-web-malware-scanner/runtime.log
http://your_site/wordpress/wp-content/plugins/quttera-web-malware-scanner/quttera_wp_report.txt

Affects Plugins

quttera-web-malware-scanner

Fixed in 3.4.2.1

References

CVE

CVE-2023-6065

URL

https://drive.google.com/file/d/1w83xWsVLS_gCpQy4LDwbjNK9JaB87EEf/view?usp=sharing

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

64f2557f-c5e4-4779-9e28-911dfaf2dda5

Timeline

Publicly Published

2023-11-21 (about 2 years ago)

Added

2023-11-21 (about 2 years ago)

Last Updated

2023-11-21 (about 2 years ago)

Other

Published

Title

Published

2024-09-05

Title

AI Chatbot with ChatGPT by AYS <= 2.0.9 - Unauthenticated OpenAI Key Disclosure

Published

2025-02-23

Title

System Dashboard < 2.8.19 - Authenticated (Subscriber+) Sensitive Information Exposure

Published

2021-09-16

Title

BulletProof Security < 5.2 - Sensitive Information Disclosure

Published

2025-11-07

Title

Academy LMS Pro < 3.3.9 - Unauthenticated Sensitive Information Exposure via 'enqueue_social_login_script'

Published

2024-04-22

Title

FG Joomla to WordPress < 4.21.0 - Sensitive Information Exposure