8.8
CVE-2023-5886
- EPSS 0.75%
- Veröffentlicht 18.12.2023 20:15:08
- Zuletzt bearbeitet 21.11.2024 08:42:42
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginExport any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 - Cross-Site Request Forgery to PHAR Deserialization
The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.
Mögliche Gegenmaßnahme
WP All Export – XML & CSV Export: Update to version 1.4.1, or a newer patched version
WP All Export Pro: Update to version 1.8.6, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WP All Export – XML & CSV Export
Version
[*, 1.4.1)
SystemWordPress Plugin
≫
Produkt
WP All Export Pro
Version
[*, 1.8.6)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Soflyy ≫ Export Any Wordpress Data To Xml/csv SwPlatformwordpress Version < 1.4.1
Soflyy ≫ Wp All Export SwEditionpro SwPlatformwordpress Version < 1.8.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.75% | 0.723 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.