Lucene search

[email protected]NVD:CVE-2023-4994

HistorySep 16, 2023 - 2:15 a.m.

CVE-2023-4994

2023-09-1602:15:07

[email protected]

web.nvd.nist.gov

wordpress

remote code execution

plugin

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Score

9.8

Confidence

High

EPSS

0.001

Percentile

36.5%

JSON

The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.0.4 via the ‘php’ shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server.

Affected configurations

Nvd

Node

hitreachallow_php_in_posts_and_pagesRange≤3.0.4wordpress

VendorProductVersionCPE
hitreachallow_php_in_posts_and_pages*cpe:2.3:a:hitreach:allow_php_in_posts_and_pages:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
hitreach	allow_php_in_posts_and_pages	*	cpe:2.3:a:hitreach:allow_php_in_posts_and_pages::::::wordpress::*

References

plugins.trac.wordpress.org/browser/allow-php-in-posts-and-pages/trunk/allowphp.php#L373

www.wordfence.com/threat-intel/vulnerabilities/id/3d8b4bb6-3715-40c1-8140-7fcf874ccec3?source=cve

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Score

9.8

Confidence

High

EPSS

0.001

Percentile

36.5%

JSON

Related for NVD:CVE-2023-4994

cve1 cvelist1 prion1 wpvulndb1 wordfence2