CVE-2023-4140

Name of the Vulnerable Software and Affected Versions WP Ultimate CSV Importer plugin for WordPress versions up to, and including, 7.9.8

Description The issue is related to privilege escalation due to insufficient restriction on the get header values function. This allows authenticated attackers with minimal permissions, such as an author, to modify their user role by supplying the wp capabilities->cus1 parameter, but only if the administrator previously grants access in the plugin settings.

Recommendations For WP Ultimate CSV Importer plugin for WordPress versions up to, and including, 7.9.8: As a temporary workaround, consider restricting access to the get header values function until a patch is available. Additionally, avoid using the wp capabilities->cus1 parameter in affected areas until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.