CVE-2023-4971

2023-10-1620:15:17

CWE-502

[email protected]

web.nvd.nist.gov

cve-2023-4971

weaver xtreme theme support

wordpress plugin

php object injections

php

security issue

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

19.4%

JSON

The Weaver Xtreme Theme Support WordPress plugin before 6.3.1 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog.

Affected configurations

Vulners

NVD

Node

weaverweaver_office_automationRange<6.3.1

VendorProductVersionCPE
weaverweaver_office_automation*cpe:2.3:a:weaver:weaver_office_automation:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
weaver	weaver_office_automation	*	cpe:2.3:a:weaver:weaver_office_automation::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Weaver Xtreme Theme Support",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "6.3.1"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]