WordPress Plugin Vulnerabilities

Finale Lite < 2.17.0 - Unauthenticated Arbitrary File Deletion

Description

The plugin does not have authorisation when deleting files, allowing unauthenticated users to delete arbitrary file on the server

Affects Plugins

Plugin icon
finale-woocommerce-sales-countdown-timer-discount
Fixed in 2.17.0

References

CVE
CVE-2023-47180
URL
https://patchstack.com/database/vulnerability/finale-woocommerce-sales-countdown-timer-discount/wordpress-finale-lite-sales-countdown-timer-discount-for-woocommerce-plugin-2-16-0-arbitrary-content-deletion-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Verified
No
WPVDB ID
6a4b090b-d42c-458b-89bc-1cda2fde15ed

Timeline

Publicly Published
2023-10-31 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-04 (about 2 years ago)

Other

Published
Title
Published
2024-06-06
Title
Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow < 1.4.0 - Missing Authorization
Published
2024-12-11
Title
Zita Site Builder <= 1.0.2 - Missing Authorization to Arbitrary Plugin Installation
Published
2024-08-28
Title
GeoDirectory < 2.3.71 - Missing Authorization via geodirectory_rated()
Published
2024-12-02
Title
WP Mailster < 1.8.17.0 - Missing Authorization
Published
2026-03-15
Title
Tutor LMS < 3.9.8 - Missing Authorization