CVE-2023-5882

The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:soflyy:export_any_wordpress_data_to_xml\/csv:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:soflyy:wp_all_export:*:*:*:*:pro:wordpress:*:*

History

21 Nov 2024, 08:42

Type Values Removed Values Added
References () https://wpscan.com/vulnerability/72be4b5c-21be-46af-a3f4-08b4c190a7e2 - Exploit, Third Party Advisory () https://wpscan.com/vulnerability/72be4b5c-21be-46af-a3f4-08b4c190a7e2 - Exploit, Third Party Advisory

21 Dec 2023, 19:50

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:soflyy:export_any_wordpress_data_to_xml\/csv:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:soflyy:wp_all_export:*:*:*:*:pro:wordpress:*:*
References () https://wpscan.com/vulnerability/72be4b5c-21be-46af-a3f4-08b4c190a7e2 - () https://wpscan.com/vulnerability/72be4b5c-21be-46af-a3f4-08b4c190a7e2 - Exploit, Third Party Advisory
First Time Soflyy export Any Wordpress Data To Xml\/csv
Soflyy wp All Export
Soflyy
Summary
  • (es) El complemento Export any WordPress data to XML/CSV de WordPress anterior a 1.4.0, el complemento WP All Export Pro de WordPress anterior a 1.8.6 no verifica los tokens nonce lo suficientemente temprano en el ciclo de vida de la solicitud, lo que permite a los atacantes hacer que los usuarios que han iniciado sesión realicen acciones no deseadas que conducen a ejecución remota de código.
CWE CWE-352

18 Dec 2023, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-18 20:15

Updated : 2024-11-21 08:42


NVD link : CVE-2023-5882

Mitre link : CVE-2023-5882

CVE.ORG link : CVE-2023-5882


JSON object : View

Products Affected

soflyy

  • export_any_wordpress_data_to_xml\/csv
  • wp_all_export
CWE
CWE-352

Cross-Site Request Forgery (CSRF)