CVE-2023-5953

Name of the Vulnerable Software and Affected Versions Welcart e-Commerce WordPress plugin versions prior to 2.9.5

Description The issue arises from the lack of file validation for uploads and the absence of authorization and CSRF protection in an AJAX action handling file uploads. This allows any authenticated user, such as a subscriber, to upload arbitrary files, including PHP files, to the server.

Recommendations For versions prior to 2.9.5, update to version 2.9.5 or later to resolve the issue. As a temporary workaround, consider disabling the AJAX action handling file uploads until a patch is available. Restrict access to file upload functionality to minimize the risk of exploitation. Avoid using the file upload feature in the affected plugin until the issue is resolved.