Lucene search

WordfenceCVE-2023-4994

HistorySep 16, 2023 - 2:15 a.m.

CVE-2023-4994

2023-09-1602:15:07

Wordfence

web.nvd.nist.gov

wordpress

plugin

vulnerability

remote code execution

cve-2023-4994

nvd

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.001

Percentile

36.5%

JSON

The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.0.4 via the ‘php’ shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server.

Affected configurations

Nvd

Vulners

Node

hitreachallow_php_in_posts_and_pagesRange≤3.0.4wordpress

VendorProductVersionCPE
hitreachallow_php_in_posts_and_pages*cpe:2.3:a:hitreach:allow_php_in_posts_and_pages:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
hitreach	allow_php_in_posts_and_pages	*	cpe:2.3:a:hitreach:allow_php_in_posts_and_pages::::::wordpress::*

CNA Affected

[
  {
    "vendor": "hit-reach",
    "product": "Allow PHP in Posts and Pages",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "3.0.4",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/browser/allow-php-in-posts-and-pages/trunk/allowphp.php#L373

www.wordfence.com/threat-intel/vulnerabilities/id/3d8b4bb6-3715-40c1-8140-7fcf874ccec3?source=cve

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.001

Percentile

36.5%

JSON

Related for CVE-2023-4994