WordPress Plugin Vulnerabilities

Easy WP SMTP < 1.5.2 - Admin+ Arbitrary File Access

Description

The plugin does not validate some user input used to generate paths, which could allow high privilege users such as admin to access arbitrary files (even when they should not be able to, for example in multisite) via a traversal attack

Affects Plugins

Plugin icon
easy-wp-smtp
Fixed in 1.5.2

References

CVE
CVE-2022-45833

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Tomasz Staszyszyn
Verified
No
WPVDB ID
e033a769-af90-4ad9-bef1-c8b561d2e2b3

Timeline

Publicly Published
2022-11-30 (about 3 years ago)
Added
2022-12-06 (about 3 years ago)
Last Updated
2022-12-06 (about 3 years ago)

Other

Published
Title
Published
2022-12-12
Title
Wholesale Market for WooCommerce < 2.0.0 - Admin+ Arbitrary Log Download
Published
2026-04-16
Title
Unlimited Elements For Elementor < 2.0.7 - Contributor+ Arbitrary File Read via Path Traversal in Repeater JSON/CSV URL with Path Traversal
Published
2020-05-16
Title
Simple File List < 4.2.8 - Authenticated Arbitrary File Deletion
Published
2019-05-23
Title
Simple File List Plugin < 3.2.8 - Unauthenticated Arbitrary File Download
Published
2023-02-28
Title
GMace <= 1.5.2 - Admin+ Path Traversal