Remote Code Execution Risk in WP Ultimate CSV Importer Plugin by WordPress
CVE-2023-4141

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Import All Pages, Post types, Products, Orders, and Users as XML & CSV
Vendor: CVE Published:; 4 August 2023

Summary

The WP Ultimate CSV Importer plugin for WordPress is susceptible to a vulnerability that allows authenticated users with author-level permissions or higher to execute arbitrary PHP code on the server. This is possible through manipulating the '->cus2' parameter, provided that the administrator has granted the necessary access in the plugin settings. It is important to note that while the author of the plugin has resolved this vulnerability by restricting file imports for authors and editors, site administrators still retain the ability to create PHP files. This necessitates a cautious approach when using the plugin, as server security could still be compromised.

Affected Version(s)

Import All Pages, Post types, Products, Orders, and Users as XML & CSV * <= 7.9.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-ultimate-cs...

https://plugins.trac.wordpress.org/changeset/2944635/wp-u...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 4, 2023
Vulnerability Reserved
Aug 3, 2023

Credit

Lana Codes