PT-2023-27941 · WordPress · Wp Ultimate Csv Importer

István Márton

Published

2023-08-04

Updated

2023-08-08

CVE-2023-4141

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WP Ultimate CSV Importer plugin for WordPress versions up to, and including, 7.9.8

Description The issue allows authenticated attackers with author-level permissions or above to execute code on the server via the ->cus2 parameter, enabling them to create a PHP file. This is possible if the administrator previously grants access in the plugin settings.

Recommendations For WP Ultimate CSV Importer plugin for WordPress versions up to, and including, 7.9.8, the author resolved this issue by removing the ability for authors and editors to import files. However, site administrators can still create PHP files, so use the plugin with caution.

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2023-4141

Affected Products

Wp Ultimate Csv Importer

PT-2023-27941 · WordPress · Wp Ultimate Csv Importer

CVE-2023-4141

Weakness Enumeration

Related Identifiers

Affected Products

References · 5