CVE-2023-7082

EUVD-2023-59266
The Import any XML or CSV File to WordPress plugin before 3.7.3 accepts all zip files and automatically extracts the zip file into a publicly accessible directory without sufficiently validating the extracted file type. This may allows high privilege users such as administrator to upload an executable file type leading to remote code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
Affected Products (NVD)
VendorProductVersion
soflyyexport_any_wordpress_data_to_xml\/csv
𝑥
< 3.7.3
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/7f947305-7a72-4c59-9ae8-193f437fd04e/
https://wpscan.com/vulnerability/7f947305-7a72-4c59-9ae8-193f437fd04e/