← back
CVE-2023-5886

WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF

EPSS 0.5%
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
18 Dec 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.
Affected products
Unknown · Export any WordPress data to XML/CSVUnknown · WP All Export Pro

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/0a08e49d-d34e-4140-a15d-ad64444665a3