CVE-2023-0924 Zyrex Popup <= 1.0 - Admin+ Arbitrary File Upload

2023-05-0207:04:48

WPScan

www.cve.org

cve-2023-0924; zyrex popup; arbitrary file upload; wordpress; plugin; file validation; administrator; multisite install

0.001 Low

EPSS

Percentile

33.3%

JSON

The ZYREX POPUP WordPress plugin through 1.0 does not validate the type of files uploaded when creating a popup, allowing a high privileged user (such as an Administrator) to upload arbitrary files, even when modifying the file system is disallowed, such as in a multisite install.

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "ZYREX POPUP",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThanOrEqual": "1.0"
      }
    ],
    "defaultStatus": "affected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

References

wpscan.com/vulnerability/0fd0d7a5-9263-43b6-9244-7880c3d3e6f4

0.001 Low

EPSS

Percentile

33.3%

JSON

Related for CVELIST:CVE-2023-0924