CVE-2023-4141
Published: 04 August 2023
Summary
CVE-2023-4141 is a high-severity Code Injection (CWE-94) vulnerability in Smackcoders Wp Ultimate Csv Importer. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to remote code execution in versions up to and including 7.9.8. The flaw, tracked as CWE-94, resides in the handling of the cus2 parameter within ImportHelpers.php and permits an attacker to write an arbitrary PHP file that is subsequently executed on the server. The issue affects any site running the plugin with the author or editor import capability enabled by an administrator.
An authenticated user holding author-level or higher privileges can exploit the vulnerability over the network to achieve arbitrary code execution with the web server's privileges. The CVSS 8.0 score reflects high confidentiality, integrity, and availability impact combined with changed scope, although successful exploitation requires the administrator to have previously granted import rights and involves high attack complexity.
The plugin maintainer addressed the issue in changeset 2944635 by revoking import permissions for authors and editors. Site administrators retain the ability to create PHP files through the plugin, and the vendor advises continued caution when the feature is used. No material increase in exploitation probability has been observed, with EPSS remaining near 0.06.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-54022
Vulnerability details
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access…
more
in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.