WordPress Theme Demo Import Plugin <= 1.1.1 is vulnerable to Arbitrary File Upload
CVE-2023-28170

9.1CRITICAL

Key Information:

Vendor: WordPress
Status: Theme Demo Import
Vendor: CVE Published:; 20 December 2023

What is CVE-2023-28170?

The Themely Theme Demo Import component is vulnerable to an unrestricted file upload issue, allowing attackers to upload files of potentially dangerous types. This weakness may lead to remote code execution or unauthorized access to sensitive information when exploited, putting websites utilizing the plugin at serious risk. Users should ensure they are using the latest version to mitigate this vulnerability.

Affected Version(s)

Theme Demo Import <= 1.1.1

References

https://patchstack.com/database/vulnerability/theme-demo-...

vdb-entry

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 20, 2023
Vulnerability Reserved
Mar 13, 2023

Credit

deokhunKim (Patchstack Alliance)