Lucene search

K
cve[email protected]CVE-2023-6558
HistoryJan 11, 2024 - 9:15 a.m.

CVE-2023-6558

2024-01-1109:15:49
CWE-434
web.nvd.nist.gov
13
wordpress
export
import
users
customers
plugin
vulnerability
cve-2023-6558
file upload
remote code execution

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.2%

The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the ‘upload_import_file’ function in versions up to, and including, 2.4.8. This makes it possible for authenticated attackers with shop manager-level capabilities or above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

Affected configurations

Vulners
NVD
Node
webtoffeeimport_export_wordpress_usersRange2.4.8
VendorProductVersionCPE
webtoffeeimport_export_wordpress_users*cpe:2.3:a:webtoffee:import_export_wordpress_users:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "webtoffee",
    "product": "Export and Import Users and Customers",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.4.8",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.2%

Related for CVE-2023-6558