CVE-2023-4243
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Guideline Violation), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via the /install-plugin REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to execute code by installing plugins from arbitrary remote locations including non-repository sources onto the site, granted they are packaged as a valid WordPress plugin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
4- www.wordfence.com/threat-intel/vulnerabilities/id/9799df3f-e34e-42a7-8a72-fa57682f7014nvdThird Party Advisory
- plugins.trac.wordpress.org/browser/full-customer/tags/1.1.0/app/api/Plugin.phpnvdProduct
- plugins.trac.wordpress.org/browser/full-customer/tags/2.2.1/app/api/PluginInstallation.phpnvdProduct
- plugins.trac.wordpress.org/browser/full-customer/tags/2.3/app/api/Controller.phpnvd
News mentions
0No linked articles in our index yet.