CVE-2023-4142

Name of the Vulnerable Software and Affected Versions WP Ultimate CSV Importer plugin for WordPress versions up to, and including, 7.9.8

Description The issue allows authenticated attackers with author-level permissions or above to execute code on the server via the ->cus1 parameter, if the administrator previously grants access in the plugin settings. This can be exploited by attackers with sufficient permissions, potentially leading to remote code execution. The author has resolved this issue by removing the ability for authors and editors to import files, but note that remote code execution is still possible for site administrators.

Recommendations For versions up to, and including, 7.9.8, consider removing the ability for authors and editors to import files to mitigate the risk of exploitation, as done by the author. Additionally, use the plugin with caution, especially for site administrators, as they can still execute code on the server.