WordPress Plugin Vulnerabilities

Quttera Web Malware Scanner < 3.4.2.1 - Admin+ Path Traversal

Description

IThe plugin does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks

Proof of Concept

Affects Plugins

Plugin icon
quttera-web-malware-scanner
Fixed in 3.4.2.1

References

CVE
CVE-2023-6222
URL
https://drive.google.com/file/d/1krgHH2NvVFr93VpErLkOjDV3L6M5yIA1/view?usp=sharing

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://research.cleantalk.org
Verified
Yes
WPVDB ID
df892e99-c0f6-42b8-a834-fc55d1bde130

Timeline

Publicly Published
2023-11-21 (about 2 years ago)
Added
2023-11-21 (about 2 years ago)
Last Updated
2023-11-21 (about 2 years ago)

Other

Published
Title
Published
2022-10-28
Title
Ultimate Member < 2.5.1 - Admin+ LFI via Traversal
Published
2022-06-06
Title
Product Configurator for WooCommerce < 1.2.32 - Unauthenticated Arbitrary File Deletion
Published
2021-07-29
Title
WordPress Download Manager < 3.1.25 - Authenticated Directory Traversal
Published
2022-10-14
Title
WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
Published
2025-02-13
Title
Bit Assist < 1.5.3 - Admin+ Arbitrary File Read