CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.0%
WordPress is vulnerable to Remote Code Execution (RCE). The vulnerability is due to a defect in the Plugins -> Add New -> Upload
plugin functionality where uploaded file (other than a zip file) remains temporary available in the Media Library despite being not allowed during FTP upload when that file is used as a plugin. This can lead to Remote Code Execution (RCE), if the DISALLOW_FILE_EDIT
constant is set to true
on the site and FTP credentials are required when uploading a new theme or plugin. This issue only affects Administrator level users on single site installations, and Super Admin level users on Multisite installations.