The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via the /install-plugin REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to execute code by installing plugins from arbitrary remote locations including non-repository sources onto the site, granted they are packaged as a valid WordPress plugin.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2023-08-09T03:36:13.639Z
Updated: 2024-08-02T07:24:03.699Z
Reserved: 2023-08-08T15:28:57.270Z
Link: CVE-2023-4243
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-08-09T04:15:10.807
Modified: 2023-11-07T04:22:21.837
Link: CVE-2023-4243
Redhat
No data.