CVE-2023-2916Revmakx · Infinitewp_client
Vulnerability data via NVD (ingested)
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2023-2916http.html:"/wp-content/plugins/infinitewp-client/"product:"Revmakx Infinitewp Client"http.html:"Infinitewp Client"More intel sources (5)
vuln:CVE-2023-2916vulnerabilities.cve_id: CVE-2023-2916CVE-2023-2916CVE-2023-2916"CVE-2023-2916" exploit -site:nvd.nist.gov