Cyber Resilience

CVE-2023-4141

HighRCE

Published: 04 August 2023

Published
04 August 2023
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0607 90.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4141 is a high-severity Code Injection (CWE-94) vulnerability in Smackcoders Wp Ultimate Csv Importer. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to remote code execution in versions up to and including 7.9.8. The flaw, tracked as CWE-94, resides in the handling of the cus2 parameter within ImportHelpers.php and permits an attacker to write an arbitrary PHP file that is subsequently executed on the server. The issue affects any site running the plugin with the author or editor import capability enabled by an administrator.

An authenticated user holding author-level or higher privileges can exploit the vulnerability over the network to achieve arbitrary code execution with the web server's privileges. The CVSS 8.0 score reflects high confidentiality, integrity, and availability impact combined with changed scope, although successful exploitation requires the administrator to have previously granted import rights and involves high attack complexity.

The plugin maintainer addressed the issue in changeset 2944635 by revoking import permissions for authors and editors. Site administrators retain the ability to create PHP files through the plugin, and the vendor advises continued caution when the feature is used. No material increase in exploitation probability has been observed, with EPSS remaining near 0.06.

EU & UK References

Vulnerability details

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access…

more

in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

smackcoders
wp ultimate csv importer
≤ 7.9.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References