WordPress Plugin Vulnerabilities

Unite Gallery Lite < 1.7.60 - Admin+ Local File Inclusion

Description

The plugin does not validate the "view" parameter before using it to generate paths passed to include function/s, allowing any admin users to perform LFI attacks

Affects Plugins

Plugin icon
unite-gallery-lite
Fixed in 1.7.60

References

CVE
CVE-2023-33310

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
5.0 (medium)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
aed23c06-6a5a-40b2-9088-e1e0b7bf8fd4

Timeline

Publicly Published
2023-05-22 (about 2 years ago)
Added
2023-08-30 (about 2 years ago)
Last Updated
2023-08-30 (about 2 years ago)

Other

Published
Title
Published
2024-08-19
Title
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.9 - Authenticated (Administrator+) Arbitrary File Read And Deletion
Published
2023-01-30
Title
Rank Math SEO < 1.0.107.3 - Contributor+ LFI
Published
2024-04-22
Title
Sendinblue for WooCommerce < 4.0.18 - Authenticated (Editor+) Arbitrary File Download and Deletion
Published
2024-12-17
Title
WPLMS < 1.9.9.5 - Unauthenticated Arbitrary Directory Deletion
Published
2025-12-11
Title
WP Job Portal < 2.4.1 - Authenticated (Subscriber+) Arbitrary File Read