WordPress Plugin Vulnerabilities

Nexter Extension < 2.0.4 - Authenticated(Editor+) Remote Code Execution via metabox

Description

The Nexter Extension plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.3 via the nxt-code-php-snippet metabox. This allows authenticated attackers with editor-level privileges and above to execute code on the server.

Affects Plugins

Plugin icon
nexter-extension
Fixed in 2.0.4

References

CVE
CVE-2023-45751
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/188c4417-962a-4b28-b215-1c567b39ba7a

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
eb16a682-b669-4bc0-8d2b-39bbf804779d

Timeline

Publicly Published
2023-10-12 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-11 (about 2 years ago)

Other

Published
Title
Published
2024-09-09
Title
Frontend Dashboard < 2.2.5 - Authenticated (Subscriber+) Arbitrary Function Call
Published
2014-08-01
Title
DZS Video Gallery - ajax.php source Parameter Reflected XSS
Published
2024-09-09
Title
Affiliate Super Assistent < 1.5.4 - Unauthenticated Arbitrary Shortcode Execution
Published
2021-05-14
Title
WP Super Cache < 1.7.3 - Authenticated Remote Code Execution
Published
2025-03-12
Title
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.8.7 - Unauthenticated Arbitrary Shortcode Execution