CVE-2023-34381

An unauthenticated attacker can send a crafted HTTP request to the Zippy plugin's archive import endpoint without any authentication or authorization [CWE-862]. The plugin fails to verify user capabilities before processing uploaded zip archives, allowing arbitrary file uploads. The attacker can upload a malicious zip file containing PHP code, which the plugin then extracts into the WordPress uploads directory, leading to remote code execution. The CVSS vector confirms the attack is network-based, requires no privileges, and needs no user interaction.

The Zippy WordPress plugin (versions through 1.6.2) lacks authorization checks on its archive import functionality. The plugin's archive import endpoint does not verify that the requesting user has the required capabilities before processing uploaded zip files.

The patch in version 1.7.0 adds proper capability checks (authorization) before allowing archive import operations. It also introduces CSRF nonce verification, path traversal protection, and a whitelist-based file extension validation to prevent arbitrary file uploads. These changes ensure that only authenticated users with appropriate permissions can import archives, closing the missing authorization vulnerability.