Arbitrary File Upload Vulnerability in E2Pdf Plugin for WordPress
CVE-2023-6826

7.2HIGH

Key Information:

Vendor
Wordpress
Status
E2PDF – Export To PDF Tool For WordPress
Vendor
CVE Published:
15 December 2023

Summary

The E2Pdf plugin for WordPress has a vulnerability that allows authenticated users, who have been granted access by an administrator, to upload arbitrary files. This is due to insufficient validation of file types in the 'import_action' function. Such a security flaw can lead to remote code execution on the affected site's server, posing significant risks to the site's integrity and security. It’s crucial for site administrators to update to the latest version to mitigate these risks.

Affected Version(s)

E2Pdf – Export To Pdf Tool for WordPress * <= 1.20.25

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/e2pdf/trunk/cl...
https://plugins.trac.wordpress.org/browser/e2pdf/trunk/cl...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

István Márton
.