WordPress Plugin Vulnerabilities

WatchTowerHQ < 3.6.16 - Unauthenticated Arbitrary File Access

Description

The plugin does properly check for the access token in its REST API endpoints, which could allow unauthenticated attackers to call them and download arbitrary files

Affects Plugins

Plugin icon
watchtowerhq
Fixed in 3.6.16

References

CVE
CVE-2022-44583

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
96c741c8-576a-45ac-ac55-da2b37d77a13

Timeline

Publicly Published
2022-11-01 (about 3 years ago)
Added
2022-11-19 (about 3 years ago)
Last Updated
2022-11-19 (about 3 years ago)

Other

Published
Title
Published
2024-02-09
Title
RSS Aggregator by Feedzy < 4.4.3 - Missing Authorization to Arbitrary Page Creation and Publication
Published
2025-11-29
Title
Compress for MainWP <= 6.50.17 - Missing Authorization
Published
2021-11-25
Title
Browser and Operating System Finder <= 1.2 - Unauthenticated Arbitrary Settings Update to Stored XSS
Published
2025-12-31
Title
Appender <= 1.1.1 - Missing Authorization
Published
2023-10-05
Title
Profile Extra Fields by BestWebSoft < 1.2.8 - Unauthenticated Sensitive Data Disclosure