Cyber Resilience

CVE-2023-4300

HighPublic PoC

Published: 25 September 2023

Published
25 September 2023
Modified
23 April 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1203 93.9th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4300 is a high-severity an unspecified weakness vulnerability in Mooveagency Import Xml And Rss Feeds. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Import XML and RSS Feeds WordPress plugin before version 2.1.4 contains an unrestricted file upload vulnerability. The component fails to validate file extensions on uploaded content, which permits an attacker to place a malicious PHP file on the server and subsequently execute arbitrary code.

An authenticated user with administrative privileges can exploit the flaw over the network with low attack complexity. Successful exploitation grants full remote code execution, allowing the attacker to read, modify, or delete data and potentially take complete control of the affected WordPress site.

The referenced WPScan advisory at the supplied URL describes the issue and identifies the fixed release as version 2.1.4. The EPSS score has remained flat at 0.1203 with no material increase since disclosure.

EU & UK References

Vulnerability details

The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mooveagency
import xml and rss feeds
≤ 2.1.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References