WordPress Plugin Vulnerabilities

WatchTowerHQ < 3.6.16 - Unauthenticated Arbitrary File Deletion

Description

The plugin does properly check for the access token in its REST API endpoints, which could allow unauthenticated attackers to call them and delete arbitrary files

Affects Plugins

Plugin icon
watchtowerhq
Fixed in 3.6.16

References

CVE
CVE-2022-44584

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
9.1 (critical)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
effdd9d1-2ba8-4779-a5b1-9b0d2f6bc94d

Timeline

Publicly Published
2022-11-01 (about 3 years ago)
Added
2022-11-19 (about 3 years ago)
Last Updated
2022-11-19 (about 3 years ago)

Other

Published
Title
Published
2025-06-19
Title
Kata Plus < 1.5.4 - Missing Authorization
Published
2024-10-24
Title
Breeze < 2.1.15 - Missing Authorization
Published
2025-05-24
Title
Visual Header < 1.5 - Missing Authorization
Published
2026-03-16
Title
Modern Events Calendar <= 7.29.0 - Missing Authorization
Published
2025-03-14
Title
WP01 – Speed, Security, SEO consultant <= 2.6.2 - Authenticated (Subscriber+) Arbitrary File Download