CVE-2023-1624

CWE-352Cross-Site Request Forgery (CSRF)3 documents3 sources
Severity
6.5MEDIUM
EPSS
0.1%
top 68.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown WpcodeWpcode Wpcode
Timeline
PublishedApr 24

Description

The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDwpcode/wpcode< 2.0.9
CVEListV5unknown/wpcode< 2.0.9

🔴Vulnerability Details

2
GHSA
GHSA-2h2j-55g7-g43c: The WPCode WordPress plugin before 22023-04-24
CVEList
WPCode Lite < 2.0.9 - Arbitrary Log File Deletion via CSRF2023-04-24
CVE-2023-1624 (MEDIUM CVSS 6.5) | The WPCode WordPress plugin before | cvebase.io