CVE-2023-4643

2023-10-1620:15:15

[email protected]

web.nvd.nist.gov

cve-2023-4643

enable media replace

wordpress

plugin

unserialization

remove background

author+ users

php object injection

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.5%

JSON

The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog

Affected configurations

Vulners

NVD

Node

sapenable_nowRange<4.1.3

VendorProductVersionCPE
sapenable_now*cpe:2.3:a:sap:enable_now:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	enable_now	*	cpe:2.3:a:sap:enable_now::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Enable Media Replace",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "4.1.3"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]