WordPress Plugin Vulnerabilities

Astra Pro < 4.3.2 - Authenticated(Contributor+) Remote Code Execution via Metabox

Description

The Astra Pro Addon plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.3.1 via the ast-advanced-hook-php-code meta field. This makes it possible for authenticated attackers, with contributor access and above, to execute code on the server.

Affects Plugins

Plugin icon
astra-addon
Fixed in 4.3.2

References

CVE
CVE-2023-49830
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b9769bc3-236f-4c9d-a4ce-544e49eee2ec

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
3c1adb7c-0a5a-4359-8a61-0579bf99f6f1

Timeline

Publicly Published
2023-12-05 (about 2 years ago)
Added
2023-12-09 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
TDO Mini Forms 0.13.9 - tdomf-upload-inline.php File Upload Remote Code Execution
Published
2025-07-07
Title
Woodmart < 8.2.4 - Unauthenticated Arbitrary Shortcode Execution
Published
2014-08-01
Title
Hungred Post Thumbnail - hpt_file_upload.php File Upload PHP Code Execution
Published
2024-03-12
Title
Anti-Malware Security and Brute-Force Firewall < 4.23.56 - Unauthenticated Remote Code Execution
Published
2025-10-01
Title
s2Member < 251005 - Unauthenticated Remote Code Execution