CVE-2023-5201 Information

Oct 01, 2023 cve

Description

The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to and including 4.3.0 via the ‘php’ shortcode. This allows authenticated attackers with subscriber-level permissions or above to execute code on the server. This requires the [php] shortcode setting to be enabled on the vulnerable site.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Reference

https://plugins.trac.wordpress.org/browser/thesis-openhook/tags/4.3.1/inc/shortcodes.php?rev=2972840#L24 https://www.wordfence.com/threat-intel/vulnerabilities/id/37b9ed0e-5af2-47c1-b2da-8d103e4c31bf?source=cve https://plugins.trac.wordpress.org/browser/thesis-openhook/tags/4.3.0/inc/shortcodes.php#L28

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.9

Share on: