WordPress Plugin Vulnerabilities

HTML filter and csv-file search < 2.8 - Contributor+ Local File Inclusion

Description

The plugin does not properly sanitize and validate the 'src' attribute of the 'csvsearch' shortcode, leading to a Local File Inclusion vulnerability.

Affects Plugins

Plugin icon
hk-filter-and-search
No known fix

References

CVE
CVE-2023-5099
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ee2b4055-8cbd-49b7-bb0b-eddef85060fc

Classification

Type
RFI
OWASP top 10
A1: Injection
CWE
CWE-98
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
6cace0a9-e8a8-4135-a7f8-ce705402f36e

Timeline

Publicly Published
2023-10-30 (about 2 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2024-06-13
Title
Where I Was, Where I Will Be <= 1.1.1 - Unauthenticated Remote File Inclusion
Published
2026-02-25
Title
Overton - Creative WordPress Theme for Agencies and Freelancers <= 1.3 - Unauthenticated Local File Inclusion
Published
2026-02-25
Title
Apollo | Night Club, DJ Event WordPress <= 1.3.1 - Unauthenticated Local File Inclusion
Published
2025-08-27
Title
Neresa < 1.4 - Unauthenticated Local File Inclusion
Published
2025-02-02
Title
Fami Sales Popup <= 2.0.0 - Unauthenticated Local File Inclusion