Cyber Resilience

CVE-2023-4922

CriticalPublic PoC

Published: 27 November 2023

Published
27 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2642 96.4th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4922 is a critical-severity an unspecified weakness vulnerability in Wpb Show Core Project Wpb Show Core. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The CVE-2023-4922 vulnerability affects the WPB Show Core WordPress plugin through version 2.2 and consists of a local file inclusion flaw reachable via the path parameter. It received a CVSS v3.1 score of 9.8 reflecting network-accessible attack conditions with no required privileges or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply an arbitrary path value to read or include local files on the server, enabling disclosure of sensitive data or potential code execution depending on the server configuration and file contents. The EPSS score for this issue is 0.2642 with no material change from its recorded peak.

Public references from WPScan document the affected plugin versions and parameter but do not detail specific patches or configuration workarounds in the supplied information.

EU & UK References

Vulnerability details

The WPB Show Core WordPress plugin through 2.2 is vulnerable to a local file inclusion via the `path` parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpb show core project
wpb show core
≤ 2.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References