The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via the /install-plugin REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to execute code by installing plugins from arbitrary remote locations including non-repository sources onto the site, granted they are packaged as a valid WordPress plugin.
Metrics
Affected Vendors & Products
References
History
Wed, 05 Feb 2025 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|

Status: PUBLISHED
Assigner: Wordfence
Published: 2023-08-09T03:36:13.639Z
Updated: 2025-02-05T19:37:01.446Z
Reserved: 2023-08-08T15:28:57.270Z
Link: CVE-2023-4243

Updated: 2024-08-02T07:24:03.699Z

Status : Modified
Published: 2023-08-09T04:15:10.807
Modified: 2024-11-21T08:34:41.997
Link: CVE-2023-4243

No data.