WordPress Plugin Vulnerabilities

Uncode Core < 2.8.9 - Authenticated (Subscriber+) Arbitrary File Deletion

Description

The uncode-core plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.8.8. This makes it possible for authenticated attackers with subscriber level access or higher to delete arbitrary files on the site.

Affects Plugins

Plugin icon
uncode-core
Fixed in 2.8.9

References

CVE
CVE-2023-51500
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/74ab025d-4e76-46e5-b8f8-963eeea5b802

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
66d04df5-fe00-436d-8135-47ecfd52a6a7

Timeline

Publicly Published
2023-12-21 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-12-02
Title
WP Mailster < 1.8.17.0 - Missing Authorization
Published
2025-12-10
Title
Searcher for Elementor <= 1.0.3 - Missing Authorization
Published
2025-04-04
Title
Ai Image Alt Text Generator for WP < 1.1.2 - Missing Authorization
Published
2023-11-21
Title
UserPro < 5.1.5 - Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template
Published
2025-11-24
Title
Autochat Automatic Conversation <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update