cbcvebase.
CVE-2023-0159
published 2023-02-13

CVE-2023-0159: The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
55.74%
98.9th percentile
The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.

Affected

1 ranges
VendorProductVersion rangeFixed in
wprealizeextensive_vc_addons_for_wpbakery_page_builder< 1.9.11.9.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php
path/wp-content/plugins/extensive-vc-addon/
otherphp://filter/convert.base64-encode/resource=../wp-config.php
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing the action parameter 'extensive_vc_init_shortcode_pagination' combined with 'options[template]' containing a php:// filter wrapper.
  • Successful exploitation returns a JSON response body containing the string '{"status":"success","message":"Items are loaded","data":' — match this in HTTP response bodies alongside the above request pattern to confirm LFI/RCE.
  • RCE escalation uses PHP filter chains passed via options[template]; look for long php://filter/convert.iconv.* chains in POST body to /wp-admin/admin-ajax.php with action=extensive_vc_init_shortcode_pagination.
  • Presence of the plugin directory /wp-content/plugins/extensive-vc-addon/ in HTTP responses can be used to fingerprint vulnerable targets for proactive scanning.
  • ·The vulnerability is unauthenticated — no session cookie or authentication token is required to exploit it. Detection rules must not filter out unauthenticated requests to admin-ajax.php.
  • ·The PHP filter chain RCE payload can be arbitrarily long and varied (different iconv conversion sequences per character), making static payload matching insufficient; focus on the action name and php:// scheme prefix in options[template].

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.