Cyber Resilience

CVE-2023-4238

HighPublic PoC

Published: 25 September 2023

Published
25 September 2023
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2467 96.3th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4238 is a high-severity an unspecified weakness vulnerability in Miniorange Prevent Files \/ Folders Access. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Prevent files / folders access WordPress plugin before version 2.5.2 contains an arbitrary file upload vulnerability because it performs no validation on files submitted for upload. This affects any site running the vulnerable plugin and allows an attacker to place files such as PHP scripts directly on the server.

An attacker with high privileges, typically an authenticated administrator, can exploit the flaw over the network with low attack complexity. Successful exploitation grants the ability to upload and execute arbitrary code, resulting in full confidentiality, integrity, and availability impact on the affected WordPress installation.

The referenced WPScan advisory identifies the issue in the plugin and indicates that the problem is resolved by updating to version 2.5.2 or later. The EPSS score reached a peak of 0.2819 before receding to its current value of 0.2467, indicating moderate and sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Prevent files / folders access WordPress plugin before 2.5.2 does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

miniorange
prevent files \/ folders access
≤ 2.5.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References