Weaver Xtreme Theme Support < 6.3.1 - Admin+ PHP Object Injection
CVE-2023-4971

7.2HIGH

Key Information:

Vendor

Wordpress
Status
Weaver Xtreme Theme Support
Vendor
CVE Published:
16 October 2023

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2023-4971?

The Weaver Xtreme Theme Support plugin, prior to version 6.3.1, is vulnerable to PHP object injection through the unserialization of imported files. When a user with elevated privileges imports a malicious file, it can exploit the presence of a suitable gadget chain on the WordPress blog, potentially leading to the execution of arbitrary PHP code. This vulnerability highlights the importance of securing file imports and validating data to prevent unauthorized access and manipulation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Weaver Xtreme Theme Support 0 < 6.3.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-4971 - Proof of Concept

References

https://wpscan.com/vulnerability/421194e1-6c3f-4972-8f3c-...
exploitvdb-entrytechnical-description

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Do Xuan Trung
WPScan
JSON
.