Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by quttera
CVE-2025-8013 (GCVE-0-2025-8013)
Vulnerability from cvelistv5 – Published: 2025-08-15 06:40 – Updated: 2026-04-08 16:48
VLAI
Title
Quttera Web Malware Scanner <= 3.5.1.41 - Authenticated (Administrator+) Server-Side Request Forgery
Summary
The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| quttera | Quttera ThreatSign – Web Malware Scanner for WordPress |
Affected:
0 , ≤ 3.5.1.41
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8013",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-15T12:10:03.404500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T12:10:09.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quttera ThreatSign \u2013 Web Malware Scanner for WordPress",
"vendor": "quttera",
"versions": [
{
"lessThanOrEqual": "3.5.1.41",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the \u0027RunExternalScan\u0027 function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.8,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:26.781Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40957153-45f1-40c9-91ce-f3491ca7eee5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quttera-web-malware-scanner/trunk/qtrAjaxHandler.php#L352"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quttera-web-malware-scanner/trunk/qtrExternalScanner.php#L28"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3344330/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Quttera Web Malware Scanner \u003c= 3.5.1.41 - Authenticated (Administrator+) Server-Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8013",
"datePublished": "2025-08-15T06:40:40.786Z",
"dateReserved": "2025-07-22T00:27:02.341Z",
"dateUpdated": "2026-04-08T16:48:26.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6065 (GCVE-0-2023-6065)
Vulnerability from cvelistv5 – Published: 2023-12-18 20:07 – Updated: 2024-08-02 08:21
VLAI
Title
Quttera Web Malware Scanner < 3.4.2.1 - Directory Listing to Sensitive Data Exposure
Summary
The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code
Severity
No CVSS data available.
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/64f2557f-c5e4-47… | exploitvdb-entrytechnical-description |
| https://drive.google.com/file/d/1w83xWsVLS_gCpQy4… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Quttera Web Malware Scanner |
Affected:
0 , < 3.4.2.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/64f2557f-c5e4-4779-9e28-911dfaf2dda5"
},
{
"tags": [
"x_transferred"
],
"url": "https://drive.google.com/file/d/1w83xWsVLS_gCpQy4LDwbjNK9JaB87EEf/view?usp=sharing"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Quttera Web Malware Scanner",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.4.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn\u0027t restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site\u0027s code"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-18T20:07:56.766Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/64f2557f-c5e4-4779-9e28-911dfaf2dda5"
},
{
"url": "https://drive.google.com/file/d/1w83xWsVLS_gCpQy4LDwbjNK9JaB87EEf/view?usp=sharing"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Quttera Web Malware Scanner \u003c 3.4.2.1 - Directory Listing to Sensitive Data Exposure",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-6065",
"datePublished": "2023-12-18T20:07:56.766Z",
"dateReserved": "2023-11-09T20:15:13.961Z",
"dateUpdated": "2024-08-02T08:21:17.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6222 (GCVE-0-2023-6222)
Vulnerability from cvelistv5 – Published: 2023-12-18 20:07 – Updated: 2024-09-30 18:54
VLAI
Title
Quttera Web Malware Scanner < 3.4.2.1 - Admin+ Path Traversal
Summary
IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/df892e99-c0f6-42… | exploitvdb-entrytechnical-description |
| https://drive.google.com/file/d/1krgHH2NvVFr93VpE… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Quttera Web Malware Scanner |
Affected:
0 , < 3.4.2.1
(semver)
|
|
| quttera | quttera_web_malware_scanner |
Affected:
0 , < 3.4.2.1
(semver)
cpe:2.3:a:quttera:quttera_web_malware_scanner:*:*:*:*:*:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.998Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/df892e99-c0f6-42b8-a834-fc55d1bde130"
},
{
"tags": [
"x_transferred"
],
"url": "https://drive.google.com/file/d/1krgHH2NvVFr93VpErLkOjDV3L6M5yIA1/view?usp=sharing"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:quttera:quttera_web_malware_scanner:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "quttera_web_malware_scanner",
"vendor": "quttera",
"versions": [
{
"lessThan": "3.4.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-6222",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T18:52:07.513372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T18:54:45.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Quttera Web Malware Scanner",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.4.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-18T20:07:54.232Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/df892e99-c0f6-42b8-a834-fc55d1bde130"
},
{
"url": "https://drive.google.com/file/d/1krgHH2NvVFr93VpErLkOjDV3L6M5yIA1/view?usp=sharing"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Quttera Web Malware Scanner \u003c 3.4.2.1 - Admin+ Path Traversal",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-6222",
"datePublished": "2023-12-18T20:07:54.232Z",
"dateReserved": "2023-11-20T18:52:52.004Z",
"dateUpdated": "2024-09-30T18:54:45.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}