CVE-2023-0477 — HIGH (8.8) — White Hats Nepal

Q: How severe is CVE-2023-0477?

CVE-2023-0477 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-0477?

Check the references section above for vendor advisories and patch information. Affected products include: Cm-Wp Auto Featured Image.

Vulnerability Description

The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.16 includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files. This is caused by incorrect file extension validation.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cm-Wp	Auto Featured Image	< 3.9.16

Related Weaknesses (CWE)

CWE-434

References

https://wpscan.com/vulnerability/e5ef74a2-e04a-4a14-bd0e-d6910cd1c4b4ExploitThird Party Advisory
https://wpscan.com/vulnerability/e5ef74a2-e04a-4a14-bd0e-d6910cd1c4b4ExploitThird Party Advisory

FAQ

What is CVE-2023-0477?

CVE-2023-0477 is a vulnerability with a CVSS score of 8.8 (HIGH). The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.16 includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files...

How severe is CVE-2023-0477?

CVE-2023-0477 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-0477?

Check the references section above for vendor advisories and patch information. Affected products include: Cm-Wp Auto Featured Image.