Vulnerability Description
The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the contents of the .htaccess files located in a site's root directory or /wp-content and /wp-includes folders and achieve remote code execution. CVE-2023-46623 appears to be a duplicate of this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wpvnteam | Wp Extra | < 6.3 |
Related Weaknesses (CWE)
References
- https://giongfnef.gitbook.io/giongfnef/cve/cve-2023-5311ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2977703/wp-extraPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/87e3dd5e-0d77-4d78-817PatchThird Party Advisory
- https://giongfnef.gitbook.io/giongfnef/cve/cve-2023-5311ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2977703/wp-extraPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/87e3dd5e-0d77-4d78-817PatchThird Party Advisory
FAQ
What is CVE-2023-5311?
CVE-2023-5311 is a vulnerability with a CVSS score of 8.8 (HIGH). The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register() function in versions up to, and including, 6.2. This makes it p...
How severe is CVE-2023-5311?
CVE-2023-5311 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-5311?
Check the references section above for vendor advisories and patch information. Affected products include: Wpvnteam Wp Extra.