The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders
Name | Vendor | Start Version | End Version |
---|---|---|---|
Wpcode | Wpcode | * | 2.0.9 (excluding) |