InfiniteWP Client < 1.12.3.1 – Unauthenticated Sensitive Information Exposure | CVE 2023-6565 | Plugin Vulnerabilities

Description

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process.

Affects Plugins

Fixed in 1.12.3.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Christian Angel

Verified

No

WPVDB ID

fcc575b3-0403-484c-b66b-f48a07af61f4

Timeline

Publicly Published

2024-02-08 (about 2 years ago)

Added

2024-02-09 (about 2 years ago)

Last Updated

2024-02-09 (about 2 years ago)

Other

Published

Title

Published

2024-02-02

Title

Anonymous Restricted Content < 1.6.3 - Protection Mechanism Bypass

Published

2024-07-26

Title

Admin Post Navigation <= 2.1 - Unauthenticated Full Path Disclosure

Published

2024-06-04

Title

LearnPress – WordPress LMS Plugin < 4.2.6.8.1 - Basic Information Disclosure via JSON API

Published

2024-08-29

Title

Masterstudy LMS Starter < 1.1.9 - Unauthenticated Sensitive Information Exposure

Published

2024-02-02

Title

Total Upkeep < 1.15.9 - Improper Authorization to Unauthenticated Arbitrary File Download