Import XML and RSS Feeds < 2.1.5 – Unauthenticated RCE | CVE 2023-4521

Description

The plugin contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version.

Proof of Concept

https://example.com/wp-content/plugins/import-xml-feed/uploads/169227090864de013cac47b.php?cmd=whoami

Affects Plugins

import-xml-feed

Fixed in 2.1.5

References

CVE

CVE-2023-4521

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

Enrico Marcolini

Submitter

Enrico Marcolini

Submitter website

https://www.enricomarcolini.it

Submitter twitter

@MarcuzReloaded

Verified

Yes

WPVDB ID

de2cdb38-3a9f-448e-b564-a798d1e93481

Timeline

Publicly Published

2023-08-28 (about 8 months ago)

Added

2023-08-30 (about 8 months ago)

Last Updated

2023-08-30 (about 8 months ago)

Other

Published

Title

Published

2021-09-13

Title

EditorsKit < 1.31.6 - Contributor+ Arbitrary PHP Code Execution

Published

2016-08-02

Title

wSecure Lite <= 2.3 - Remote Code Execution (RCE)

Published

2014-08-01

Title

TDO Mini Forms 0.13.9 - tdomf-upload-inline.php File Upload Remote Code Execution

Published

2021-03-16

Title

WP Super Cache < 1.7.2 - Authenticated Remote Code Execution (RCE)

Published

2014-09-22

Title

Flash Uploader <= 3.1.2 - Arbitrary Comm& Execution