Remote Code Execution Vulnerability in WP Ultimate CSV Importer Plugin for WordPress
CVE-2023-4142

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Import All Pages, Post types, Products, Orders, and Users as XML & CSV
Vendor: CVE Published:; 4 August 2023

Summary

The WP Ultimate CSV Importer plugin for WordPress contains a vulnerability allowing remote code execution through the '->cus1' parameter in versions up to 7.9.8. This risk is particularly elevated for authenticated attackers with author-level permissions or higher, provided that the administrator has previously granted access within the plugin's settings. While the vulnerability mitigation strategy involves restricting file imports for authors and editors, caution is still advised as site administrators remain at risk of remote code execution. Users are encouraged to review plugin settings and implement robust security measures.

Affected Version(s)

Import All Pages, Post types, Products, Orders, and Users as XML & CSV * <= 7.9.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-ultimate-cs...

https://plugins.trac.wordpress.org/changeset/2944635/wp-u...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 4, 2023
Vulnerability Reserved
Aug 3, 2023

Credit

Lana Codes