exploitDog

CVE-2023-0477

Опубликовано: 13 мар. 2023

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.16 includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files. This is caused by incorrect file extension validation.

Ссылки

https://wpscan.com/vulnerability/e5ef74a2-e04a-4a14-bd0e-d6910cd1c4b4
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/e5ef74a2-e04a-4a14-bd0e-d6910cd1c4b4
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cm-wp:auto_featured_image:*:*:*:*:*:wordpress:*:*

Версия до 3.9.16 (исключая)

EPSS

Процентиль: 61%

0.00419

Низкий

8.8 High

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-xv6m-g863-2r99

CVSS3: 8.8

github

почти 3 года назад

The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.16 includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files. This is caused by incorrect file extension validation.

EPSS

Процентиль: 61%

0.00419

Низкий

8.8 High

CVSS3

Дефекты

CWE-434