CVE-2023-4521

2023-09-2516:15:15

WPScan

web.nvd.nist.gov

cve-2023-4521

import xml

rss feeds

wordpress plugin

web shell

rce

unauthenticated attackers

nvd

vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.014

Percentile

86.7%

JSON

The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version.

Affected configurations

Nvd

Vulners

Node

mooveagencyimport_xml_and_rss_feedsRange<2.1.5wordpress

VendorProductVersionCPE
mooveagencyimport_xml_and_rss_feeds*cpe:2.3:a:mooveagency:import_xml_and_rss_feeds:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
mooveagency	import_xml_and_rss_feeds	*	cpe:2.3:a:mooveagency:import_xml_and_rss_feeds::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Import XML and RSS Feeds",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "2.1.4",
        "lessThan": "2.1.5"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]