cbcvebase.
CVE-2023-4521
published 2023-09-25

CVE-2023-4521: The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
39.55%
98.4th percentile
The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version.

Affected

1 ranges
VendorProductVersion rangeFixed in
mooveagencyimport_xml_and_rss_feeds< 2.1.52.1.5

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/import-xml-feed/uploads/169227090864de013cac47b.php
filename169227090864de013cac47b.php
path/wp-content/plugins/import-xml-feed/readme.txt
commandcmd=ping+{{interactsh-url}}
  • Check for the presence of the web shell file at the known path under the plugin's uploads directory; unauthenticated GET requests to this PHP file with a `cmd` parameter indicate active exploitation.
  • The vulnerability allows unauthenticated RCE via a pre-existing web shell dropped in the plugin's uploads folder; no authentication is required to trigger command execution.
  • Confirm plugin presence first by verifying the readme.txt returns 'Import XML and RSS Feeds' before probing for the web shell.
  • ·The web shell was NOT introduced by a supply-chain compromise; it was left behind after running a PoC for a previously reported issue and not cleaned up before the release.
  • ·The specific web shell filename (169227090864de013cac47b.php) is tied to this particular PoC artifact; other deployments of the same plugin version may have differently named shells if the PoC was run independently.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.