WordPress Plugin Vulnerabilities

WPB Show Core <= 2.2 - Unauthenticated Server Side Request Forgery

Description

This plugin is vulnerable to server-side request forgery (SSRF) via the `path` parameter.

Proof of Concept

Affects Plugins

Plugin icon
wpb-show-core
No known fix

References

CVE
CVE-2023-5974

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Mohamed Abdelhady
Submitter
Mohamed Abdelhady
Submitter website
https://mohamedabdelhady933.github.io/Blog/
Submitter twitter
Mohamed_A_R_1
Verified
Yes
WPVDB ID
c0136057-f420-4fe7-a147-ecbec7e7a9b5

Timeline

Publicly Published
2023-11-06 (about 2 years ago)
Added
2023-11-06 (about 2 years ago)
Last Updated
2023-11-06 (about 2 years ago)

Other

Published
Title
Published
2022-12-13
Title
WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
Published
2016-02-02
Title
WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
Published
2024-07-11
Title
Magical Addons For Elementor < 1.1.42 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2025-10-24
Title
Slider Templates <= 1.0.3 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2018-01-20
Title
Google Forms <= 0.91 - Unauthenticated Server-Side Request Forgery (SSRF)