WordPress Plugin Vulnerabilities

WP Mail Log Plugin < 1.1.3 - Contributor+ Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'send_email' function. This makes it possible for authenticated attackers, with contributor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
wp-mail-log
Fixed in 1.1.3

References

CVE
CVE-2023-51410
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0542f8bf-8fb1-4c47-89b7-106a6feacca1

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
b5153b7c-7e14-4ac7-8ef9-c44c17aefe63

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-03 (about 2 years ago)

Other

Published
Title
Published
2025-10-28
Title
Contact Form 7 PDF, Google Sheet & Database < 3.1.0 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2024-11-05
Title
WP JobSearch < 2.6.8 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2025-11-10
Title
Astra Security Suite <= 0.2 - Unauthenticated Arbitrary File Upload
Published
2025-04-14
Title
Eximius <= 2.2 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2025-02-21
Title
Theme File Duplicator <= 1.3 - Authenticated (Subscriber+) Arbitrary File Upload