8.8
CVE-2023-4140
- EPSS 0.06%
- Veröffentlicht 04.08.2023 03:15:14
- Zuletzt bearbeitet 21.11.2024 08:34:28
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginWP Ultimate CSV Importer <= 7.9.8 - Arbitrary Usermeta Update to Authenticated (Author+) Privilege Escalation
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.9.8 due to insufficient restriction on the 'get_header_values' function. This makes it possible for authenticated attackers, with minimal permissions such as an author, if the administrator previously grants access in the plugin settings, to modify their user role by supplying the 'wp_capabilities->cus1' parameter.
Mögliche Gegenmaßnahme
WP Import – Ultimate CSV XML Importer for WordPress: Update to version 7.9.9, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WP Import – Ultimate CSV XML Importer for WordPress
Version
*-7.9.8
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Smackcoders ≫ Wp Ultimate Csv Importer SwPlatformwordpress Version <= 7.9.8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.06% | 0.194 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security@wordfence.com | 6.6 | 0.7 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
|