WordPress Plugin Vulnerabilities

Ninja Forms < 3.6.25 - Admin+ Arbitrary File Deletion

Description

The plugin does not validate the path of files to be deleted, which could allow administrators to delete arbitrary files on the server even when they should not be able to.

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.6.25

References

CVE
CVE-2023-36505

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Theodoros Malachias
Verified
No
WPVDB ID
7106f09f-be12-4ecb-8e1b-71662b8b1318

Timeline

Publicly Published
2023-06-22 (about 2 years ago)
Added
2023-07-07 (about 2 years ago)
Last Updated
2023-07-07 (about 2 years ago)

Other

Published
Title
Published
2021-09-02
Title
Simple Download Monitor < 3.9.5 - Contributor+ Arbitrary File Download via Path Traversal
Published
2015-08-28
Title
NextGen Gallery < 2.1.15 - Path Traversal
Published
2022-10-20
Title
Welcart eCommerce < 2.7.8 - Unauthenticated Arbitrary File Access
Published
2024-08-16
Title
BackWPup < 4.0.2 - Admin+ Directory Traversal
Published
2023-11-20
Title
File Manager < 6.3 - Admin+ Arbitrary OS File/Folder Access + Path Traversal