CVE-2023-4300
Published: 25 September 2023
Summary
CVE-2023-4300 is a high-severity an unspecified weakness vulnerability in Mooveagency Import Xml And Rss Feeds. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Import XML and RSS Feeds WordPress plugin before version 2.1.4 contains an unrestricted file upload vulnerability. The component fails to validate file extensions on uploaded content, which permits an attacker to place a malicious PHP file on the server and subsequently execute arbitrary code.
An authenticated user with administrative privileges can exploit the flaw over the network with low attack complexity. Successful exploitation grants full remote code execution, allowing the attacker to read, modify, or delete data and potentially take complete control of the affected WordPress site.
The referenced WPScan advisory at the supplied URL describes the issue and identifies the fixed release as version 2.1.4. The EPSS score has remained flat at 0.1203 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-54171
Vulnerability details
The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.