Cyber Resilience

CVE-2023-2068

CriticalPublic PoC

Published: 27 June 2023

Published
27 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7472 98.9th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2068 is a critical-severity an unspecified weakness vulnerability in Advancedfilemanager File Manager Advanced Shortcode. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The File Manager Advanced Shortcode WordPress plugin through version 2.3.2 contains an input validation flaw that fails to enforce MIME type restrictions on file uploads performed through the plugin shortcode. When the configured allowed MIME list excludes PHP files, this permits upload of executable content and results in remote code execution on the affected WordPress site. The issue carries a CVSS 3.1 score of 9.8 and is exploitable over the network without authentication in the worst case.

An unauthenticated attacker can upload a PHP file via the shortcode, place it in a web-accessible directory, and execute arbitrary code on the server, achieving full compromise of the site and potentially the underlying host. Public proof-of-concept material on Packet Storm and WPScan demonstrates this path.

EPSS for the vulnerability reached a peak of 0.8301 on 2025-01-22 and remains elevated at 0.7472, indicating material and sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files.…

more

In the worst case, this is available to unauthenticated users.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

advancedfilemanager
file manager advanced shortcode
≤ 2.3.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References