CVE-2023-1624

Name of the Vulnerable Software and Affected Versions WPCode WordPress plugin versions prior to 2.0.9

Description The issue is related to a flawed CSRF when deleting logs, and the plugin does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode activate snippets capability delete arbitrary log files on the server, including outside of the blog folders.

Recommendations For versions prior to 2.0.9, update to version 2.0.9 or later to resolve the issue. As a temporary workaround, consider restricting the wpcode activate snippets capability to trusted users until the update is applied. Additionally, restrict access to the log deletion functionality to minimize the risk of exploitation.