cleantalk
Vulnerabilities and Security Researches

FULL – Cliente, CVE-2023-4243

CVE, Research URL

CVE-2023-4243

Home page URL

Security reports for FULL – Cliente

Application

FULL – Cliente

Published on
Aug 09, 2023
Research Description
The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via the /install-plugin REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to execute code by installing plugins from arbitrary remote locations including non-repository sources onto the site, granted they are packaged as a valid WordPress plugin.
Affected versions
Min -, max 2.3.
Status
vulnerable
Previous vulnerability researches
FULL – Cliente (CVE-2024-9211) , Oct 12, 2024
FULL – Cliente (CVE-2023-4242) , Jun 07, 2024
FULL – Cliente (CVE-2023-4243) , Jun 07, 2024
FULL – Cliente (CVE-2024-54313) , Dec 15, 2024
FULL – Cliente (CVE-2025-26757) , Feb 24, 2025
New vulnerability
VerticalResponse Newsletter Widget (CVE-2025-4172) , May 04, 2025
Subpage List (CVE-2025-4168) , May 04, 2025
OTP-less one tap Sign in (CVE-2025-3746) , May 04, 2025
Advanced Reorder Image Text Slider (CVE-2025-4188) , May 04, 2025
MStore API (CVE-2025-3438) , May 04, 2025