Search criteria
4 vulnerabilities found for InfiniteWP Client by infinitewp
CVE-2023-6565 (GCVE-0-2023-6565)
Vulnerability from cvelistv5 – Published: 2024-02-20 18:56 – Updated: 2025-04-22 16:24
VLAI?
Summary
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process.
Severity ?
5.9 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infinitewp | InfiniteWP Client |
Affected:
* , ≤ 1.12.3
(semver)
|
Credits
Christian Angel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T20:50:41.047077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T16:24:54.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3007309/iwp-client"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InfiniteWP Client",
"vendor": "infinitewp",
"versions": [
{
"lessThanOrEqual": "1.12.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Angel"
}
],
"descriptions": [
{
"lang": "en",
"value": "The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T18:56:24.911Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3007309/iwp-client"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-07T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-02-08T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6565",
"datePublished": "2024-02-20T18:56:24.911Z",
"dateReserved": "2023-12-06T22:10:27.105Z",
"dateUpdated": "2025-04-22T16:24:54.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2916 (GCVE-0-2023-2916)
Vulnerability from cvelistv5 – Published: 2023-08-15 08:32 – Updated: 2024-10-08 20:07
VLAI?
Summary
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infinitewp | InfiniteWP Client |
Affected:
* , ≤ 1.11.1
(semver)
|
Credits
Lana Codes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:03.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.11.1/core.class.php#L365"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2925897/iwp-client#file4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2916",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T20:06:58.233810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T20:07:36.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InfiniteWP Client",
"vendor": "infinitewp",
"versions": [
{
"lessThanOrEqual": "1.11.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lana Codes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the \u0027admin_notice\u0027 function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-200 Information Exposure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-15T08:32:58.963Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.11.1/core.class.php#L365"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2925897/iwp-client#file4"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-26T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-26T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-08-14T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2916",
"datePublished": "2023-08-15T08:32:58.963Z",
"dateReserved": "2023-05-26T13:47:33.528Z",
"dateUpdated": "2024-10-08T20:07:36.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6565 (GCVE-0-2023-6565)
Vulnerability from nvd – Published: 2024-02-20 18:56 – Updated: 2025-04-22 16:24
VLAI?
Summary
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process.
Severity ?
5.9 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infinitewp | InfiniteWP Client |
Affected:
* , ≤ 1.12.3
(semver)
|
Credits
Christian Angel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T20:50:41.047077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T16:24:54.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3007309/iwp-client"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InfiniteWP Client",
"vendor": "infinitewp",
"versions": [
{
"lessThanOrEqual": "1.12.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Angel"
}
],
"descriptions": [
{
"lang": "en",
"value": "The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T18:56:24.911Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3007309/iwp-client"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-07T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-02-08T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6565",
"datePublished": "2024-02-20T18:56:24.911Z",
"dateReserved": "2023-12-06T22:10:27.105Z",
"dateUpdated": "2025-04-22T16:24:54.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2916 (GCVE-0-2023-2916)
Vulnerability from nvd – Published: 2023-08-15 08:32 – Updated: 2024-10-08 20:07
VLAI?
Summary
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infinitewp | InfiniteWP Client |
Affected:
* , ≤ 1.11.1
(semver)
|
Credits
Lana Codes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:03.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.11.1/core.class.php#L365"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2925897/iwp-client#file4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2916",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T20:06:58.233810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T20:07:36.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InfiniteWP Client",
"vendor": "infinitewp",
"versions": [
{
"lessThanOrEqual": "1.11.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lana Codes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the \u0027admin_notice\u0027 function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-200 Information Exposure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-15T08:32:58.963Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.11.1/core.class.php#L365"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2925897/iwp-client#file4"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-26T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-26T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-08-14T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2916",
"datePublished": "2023-08-15T08:32:58.963Z",
"dateReserved": "2023-05-26T13:47:33.528Z",
"dateUpdated": "2024-10-08T20:07:36.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}