CVE-2023-5099

Name of the Vulnerable Software and Affected Versions HTML filter and csv-file search plugin for WordPress versions up to, and including, 2.7

Description The issue allows authenticated attackers with contributor-level permissions and above to include and execute arbitrary files on the server via the src attribute of the csvsearch shortcode. This can lead to bypassing access controls, obtaining sensitive data, or achieving code execution, especially in cases where images and other “safe” file types can be uploaded and included.

Recommendations For versions up to, and including, 2.7, consider disabling the csvsearch shortcode until a patch is available to prevent the inclusion and execution of arbitrary files. Restrict access to the src attribute to minimize the risk of exploitation. Avoid using the src attribute in the csvsearch shortcode until the issue is resolved.