WordPress Plugin Vulnerabilities

Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload

Description

The plugin does not properly validate uploaded files via the ajaxUploadFonts() function, allowing any authenticated users, such as subscriber to upload arbitrary files

Affects Plugins

Plugin icon
essential-real-estate
Fixed in 4.4.0

References

CVE
CVE-2023-6827
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8bb2ce22-077b-41dd-a2ff-cc1db9d20d38

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
9c932899-f27d-45be-aa35-3ac1b49ed57d

Timeline

Publicly Published
2023-12-14 (about 2 years ago)
Added
2023-12-15 (about 2 years ago)
Last Updated
2023-12-15 (about 2 years ago)

Other

Published
Title
Published
2022-03-14
Title
MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution
Published
2024-12-18
Title
WP SuperBackup < 2.4 - Unauthenticated Arbitrary File Upload
Published
2024-11-13
Title
BasePress Migration Tools <= 1.0.0 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2025-08-28
Title
Booster for WooCommerce < 7.2.5 - Unauthenticated Double Extension Arbitrary File Upload
Published
2024-04-12
Title
InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.23 - Unauthenticated Arbitrary File Upload