WordPress Plugin Vulnerabilities

WP EXtra < 6.3 - Subscriber+ .htaccess File Modification

Description

The plugin is missing capability checks on the register function, allowing authenticated users, with roles as low as subscriber, to modify the contents of the site's .htaccess files, leading to potential remote code execution.

Affects Plugins

Plugin icon
wp-extra
Fixed in 6.3

References

CVE
CVE-2023-5311
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-extra/wp-extra-62-missing-authorization-to-htaccess-file-modification

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
GiongfNef
Verified
No
WPVDB ID
feef4928-143e-466a-9c04-f9cf410d194e

Timeline

Publicly Published
2023-10-24 (about 2 years ago)
Added
2023-10-25 (about 2 years ago)
Last Updated
2023-11-13 (about 2 years ago)

Other

Published
Title
Published
2026-02-18
Title
SMS Alert Order Notifications < 3.9.1 - Missing Authorization
Published
2024-08-21
Title
Image Optimizer, Resizer and CDN – Sirv < 7.2.8 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload
Published
2025-12-29
Title
BizPrint < 4.7.1 - Missing Authorization
Published
2026-01-09
Title
Add Expires Headers & Optimized Minify < 3.3.0 - Missing Authorization
Published
2025-12-25
Title
Plugin Optimizer <= 1.3.7 - Missing Authorization