CVE-2023-4243

Name of the Vulnerable Software and Affected Versions The FULL - Customer plugin for WordPress versions up to, and including, 2.2.3

Description The issue allows authenticated attackers with subscriber-level permissions and above to execute code by installing plugins from arbitrary remote locations, including non-repository sources, onto the site. This is possible due to improper authorization in the /install-plugin REST route. The attackers can install plugins from any location, granted they are packaged as a valid WordPress plugin.

Recommendations For versions up to, and including, 2.2.3, consider disabling the /install-plugin REST route until a patch is available to prevent arbitrary file uploads. Restrict access to the plugin installation feature to minimize the risk of exploitation. Avoid using the plugin installation feature from non-repository sources until the issue is resolved.