WordPress Plugin Vulnerabilities

OpenHook < 4.3.1 - Subscriber+ Remote Code Execution

Description

The plugin does not prevent low-privileged users like subscribers from using its 'php' shortcode feature, leading to potential Remote Code Execution.

Affects Plugins

Plugin icon
thesis-openhook
Fixed in 4.3.1

References

CVE
CVE-2023-5201
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/37b9ed0e-5af2-47c1-b2da-8d103e4c31bf

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
5bd9fbd2-26ea-404a-aba7-f0c457a082b6

Timeline

Publicly Published
2023-09-29 (about 2 years ago)
Added
2023-10-01 (about 2 years ago)
Last Updated
2023-10-01 (about 2 years ago)

Other

Published
Title
Published
2016-04-12
Title
Robo Gallery <= 2.0.14 - Remote Code Execution
Published
2024-09-09
Title
Frontend Dashboard < 2.2.5 - Authenticated (Subscriber+) Arbitrary Function Call
Published
2024-12-03
Title
Authors List < 2.0.5 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-06-14
Title
Woody code snippets – Insert Header Footer Code, AdSense Ads < 2.5.1 -Authenticated (Contributor+) Remote Code Execution
Published
2025-08-25
Title
bidorbuy Store Integrator <= 2.12.0 - Authenticated (Admin+) Remote Code Execution