CVE-2023-4140 Vulnerability Details

  /     /     /  

CVE-2023-4140 Metadata Quick Info

CVE Published: 04/08/2023 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: Wordfence | Vendor: smackcoders | Product: Import All Pages, Post types, Products, Orders, and Users as XML & CSV
Status : PUBLISHED

CVE-2023-4140 Description

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.9.8 due to insufficient restriction on the \'get_header_values\' function. This makes it possible for authenticated attackers, with minimal permissions such as an author, if the administrator previously grants access in the plugin settings, to modify their user role by supplying the \'wp_capabilities->cus1\' parameter.

Metrics

CVSS Version: 3.1 | Base Score: 6.6 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID:
CWE Name: CWE-269 Improper Privilege Management
Source: smackcoders

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).

Last added CVEs

▸ CVE-2024-9999 ◂
Discovered: 12/11/2024
Status: PUBLISHED
▸ CVE-2024-9997 ◂
Discovered: 29/10/2024
Status: PUBLISHED
▸ CVE-2024-9996 ◂
Discovered: 29/10/2024
Status: PUBLISHED



Tags:
CVE-2023-4140 Vulnerability Details