8.8
CVE-2023-4140
- EPSS 0.06%
- Veröffentlicht 04.08.2023 03:15:14
- Zuletzt bearbeitet 08.04.2026 18:18:12
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginWP Ultimate CSV Importer <= 7.9.8 - Arbitrary Usermeta Update to Authenticated (Author+) Privilege Escalation
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.9.8 due to insufficient restriction on the 'get_header_values' function. This makes it possible for authenticated attackers, with minimal permissions such as an author, if the administrator previously grants access in the plugin settings, to modify their user role by supplying the 'wp_capabilities->cus1' parameter.
Mögliche Gegenmaßnahme
WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress: Update to version 7.9.9, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress
Version
*-7.9.8
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Smackcoders ≫ Wp Ultimate Csv Importer SwPlatformwordpress Version <= 7.9.8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.06% | 0.194 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security@wordfence.com | 6.6 | 0.7 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.