CVE-2023-2249
🟠 Łataj w tym tygodniu
Lokalne włączenie plików w wtyczce wpForo dla WordPressa pozwala na zdalne wykonanie kodu.
CVSS
8.8
EPSS
48.2%
Exploit
none
Vendor
gvectors
Opis źródłowy (NVD)
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like wp-config.php hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services.
deserialization rce ssrf
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 48.2% |
| Opublikowano (NVD) | 2023-06-09 06:16:05 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 18:17:58 UTC |
Referencje
- https://plugins.trac.wordpress.org/browser/wpforo/tags/2.1.7/classes/Actions.php#L444 (security@wordfence.com) [Patch]
- https://plugins.trac.wordpress.org/browser/wpforo/tags/2.1.8/classes/Actions.php#L437 (security@wordfence.com) [Patch]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/800fa098-b29f-4979-b7bd-b1186a4dafcb?source=cve (security@wordfence.com) [Third Party Advisory]