WordPress Plugin Vulnerabilities

WP EXtra < 6.3 - Missing Authorization to Arbitrary Email Sending

Description

The WP EXtra plugin for WordPress is vulnerable to unauthorized access to restricted functionality due to a missing capability check on the 'test-email' section of the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to send emails with arbitrary content to arbitrary locations from the affected site's mail server.

Affects Plugins

Plugin icon
wp-extra
Fixed in 6.3

References

CVE
CVE-2023-5314
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/93c10a58-c5f2-440b-a88e-5314143fdd90

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
TP Cyber Security
Verified
No
WPVDB ID
a55c42a4-2fce-4ee9-b1be-53326ec59cb1

Timeline

Publicly Published
2023-10-25 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
AppMySite < 3.15.1 - Missing Authorization
Published
2023-10-25
Title
Generate Dummy Posts <= 1.0.0 - Missing Authorization
Published
2026-02-18
Title
TrueBooker < 1.1.7 - Missing Authorization
Published
2023-08-24
Title
Premmerce User Roles < 1.0.13 - Missing Authorization via role management functions
Published
2024-01-02
Title
WooCommerce PDF Invoices < 4.3.1 - Subscriber+ Arbitrary Order Export