WP Mail Log < 1.1.3 – Contributor+ LFI in wml_logs/send_mail endpoint
CVE-2023-5672

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Mail Log
Vendor: CVE Published:; 26 December 2023

Summary

The WP Mail Log WordPress plugin before 1.1.3 does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files.

Affected Version(s)

WP Mail Log 0 < 1.1.3

References

https://wpscan.com/vulnerability/7c1dff5b-bed3-49f8-96cc-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 26, 2023
Vulnerability Reserved
Oct 20, 2023

Credit

dc11

WPScan