WordPress Plugin Vulnerabilities

Store Locator WordPress < 1.4.15 - Admin+ Arbitrary File Deletion

Description

The plugin is vulnerable to Directory Traversal, allowing authenticated attackers, with administrator access and above, to delete arbitrary files.

Affects Plugins

Plugin icon
agile-store-locator
Fixed in 1.4.15

References

CVE
CVE-2023-50885
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8cb5c386-eee3-4e88-a827-766a4901f432

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Abu Hurayra (HurayraIIT)
Verified
No
WPVDB ID
7753a785-73e3-4272-aadb-292f0bd7b6a2

Timeline

Publicly Published
2023-12-26 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-03 (about 2 years ago)

Other

Published
Title
Published
2024-10-21
Title
3D Work In Progress <= 1.0.3 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2024-10-11
Title
WordPress File Upload < 4.24.12 - Unauthenticated Path Traversal to Arbitrary File Read and Deletion in wfu_file_downloader.php
Published
2026-02-26
Title
Directory Listings WordPress plugin – uListing <= 2.2.0 - Authenticated (Editor+) Arbitrary File Download
Published
2025-10-30
Title
Zombify < 1.7.6 - Authenticated (Subscriber+) Path Traversal to Arbitrary File Read
Published
2024-07-26
Title
Grow by Tradedoubler < 2.0.22 - Unauthenticated LFI