CVE-2023-5822

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Nov 22, 2023

Updated: Nov 29, 2023

CWE ID 434

Summary

CVE-2023-5822: This vulnerability affects the Contact Form 7 plugin for WordPress, specifically versions up to and including 1.3.7.3. The issue lies in the 'dnd_upload_cf7_upload' function, which lacks sufficient file type validation. Unauthenticated attackers can exploit this vulnerability by uploading arbitrary files, potentially leading to remote code execution. This can occur if a user with editor privileges or higher adds a 'multiple file upload' form field with '*' acceptable file types.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/tKBlQL
https://www.cve.org/CVERecord?id=CVE-2023-5822
https://nvd.nist.gov/vuln/detail/CVE-2023-5822

Back to Vulnerability Database

CVE-2023-5822

CVSS 3.1 Score 9.8 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations