CVE-2023-6140

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

8.8HIGH

EPSS

3.9%

top 11.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Essential Real Estate G5plus Essential Real Estate G5theme Essential Real Estate

Timeline

PublishedJan 8

Description

The Essential Real Estate WordPress plugin before 4.4.0 does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDg5plus/essential_real_estate< 4.4.0

▶CVEListV5unknown/essential_real_estate< 4.4.0

▶CVEListV5g5theme/essential_real_estate4.3.5

🔴Vulnerability Details

CVEList

Essential Real Estate < 4.4 - Subscriber+ Arbitrary File Upload↗2024-01-08

▶

GHSA

GHSA-pmx3-5c86-vxfm: The Essential Real Estate WordPress plugin before 4↗2024-01-08

▶