WordPress Plugin Vulnerabilities

Icegram Express < 5.6.24 - Admin+ Directory Traversal

Description

The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector.

Affects Plugins

Plugin icon
email-subscribers
Fixed in 5.6.24

References

CVE
CVE-2023-5414

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.1 (critical)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
9efb7005-a490-42b4-b7b6-b6ac5af072f0

Timeline

Publicly Published
2023-10-11 (about 2 years ago)
Added
2023-10-20 (about 2 years ago)
Last Updated
2023-10-20 (about 2 years ago)

Other

Published
Title
Published
2025-01-24
Title
WP Ultimate Exporter < 2.9.1 - Authenticated (Admin+) Arbitrary File Read
Published
2025-05-14
Title
File Manager Advanced Shortcode <= Multiple Versions - Authenticated (Administrator+) Local JavaScript File Inclusion via Shortcode
Published
2024-11-27
Title
File Manager Pro – Filester < 1.8.6 - Authenticated (Administrator+) Local JavaScript File Inclusion
Published
2014-09-27
Title
Tom M8te (tom-m8te) Plugin 1.5.3 - Directory Traversal
Published
2025-02-26
Title
Car Dealer Automotive WordPress Theme – Responsive < 1.6.4 - Authenticated (Subscriber+) Arbitrary File Deletion and Read