CVE-2023-5957

2024-01-0819:15:09

CWE-434

[email protected]

web.nvd.nist.gov

ni purchase order

woocommerce

wordpress

plugin

arbitrary file upload

rce

vulnerability

cve-2023-5957

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

19.1%

JSON

The Ni Purchase Order(PO) For WooCommerce WordPress plugin through 1.2.1 does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell.

Affected configurations

Vulners

NVD

Node

addifyorder_approval_for_woocommerceRange≤1.2.1

VendorProductVersionCPE
addifyorder_approval_for_woocommerce*cpe:2.3:a:addify:order_approval_for_woocommerce:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
addify	order_approval_for_woocommerce	*	cpe:2.3:a:addify:order_approval_for_woocommerce::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Ni Purchase Order(PO) For WooCommerce",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThanOrEqual": "1.2.1"
      }
    ],
    "defaultStatus": "affected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]