// For flags

CVE-2023-4521

Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version.

El complemento de WordPress Import XML and RSS Feeds anterior a 2.1.5 contiene un shell web que permite a atacantes no autenticados realizar RCE. El complemento/proveedor no se vio comprometido y los archivos son el resultado de ejecutar una PoC para un problema informado anteriormente (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) y no eliminar los archivos creados cuando lanzando la nueva versiĆ³n.

The Import XML and RSS Feeds for WordPress is vulnerable to remote code execution in versions up to, and including, 2.1.4. This is due to the plugin vendor leaving a malicious file behind when patching CVE-2023-4300. This makes it possible for unauthenticated attackers to access the 169227090864de013cac47b.php file and achieve remote code execution.

*Credits: Enrico Marcolini, WPScan
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-08-24 CVE Reserved
  • 2023-08-28 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-08-02 First Exploit
  • 2024-10-27 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mooveagency
Search vendor "Mooveagency"
Import Xml And Rss Feeds
Search vendor "Mooveagency" for product "Import Xml And Rss Feeds"
< 2.1.5
Search vendor "Mooveagency" for product "Import Xml And Rss Feeds" and version " < 2.1.5"
wordpress
Affected