The Import XML and RSS Feeds WordPress plugin before 2.1...
Critical severity
Unreviewed
Published
Sep 25, 2023
to the GitHub Advisory Database
•
Updated Apr 4, 2024
Description
Published by the National Vulnerability Database
Sep 25, 2023
Published to the GitHub Advisory Database
Sep 25, 2023
Last updated
Apr 4, 2024
The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version.
References