CVE-2023-5816

External Control of File Name or Path (CWE-73)

Published: Oct 30, 2024 / Updated: 21d ago

010
CVSS 4.9EPSS 0.04%Medium
CVE info copied to clipboard

The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2023-5816. See article

Oct 30, 2024 at 2:29 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 30, 2024 at 2:29 AM
CVE Assignment

NVD published the first details for CVE-2023-5816

Oct 30, 2024 at 3:15 AM
CVSS

A CVSS base score of 4.9 has been assigned.

Oct 30, 2024 at 3:15 AM / nvd
Threat Intelligence Report

CVE-2023-5816 is a medium-severity vulnerability (CVSS 3.1 Base Score: 4.90) in the Code Explorer plugin for WordPress, allowing authenticated attackers with administrator-level access to read arbitrary external files outside the WordPress instance. The vulnerability affects all versions up to and including 1.4.5, and while the article does not mention any proof-of-concept exploits or specific mitigations, it highlights the potential risk of unauthorized file access. There is no indication of exploitation in the wild or downstream impacts on other third-party vendors. See article

Oct 30, 2024 at 8:46 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Oct 30, 2024 at 10:17 AM
Static CVE Timeline Graph

Affected Systems

Bowo/code_explorer
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-13: Subverting Environment Variable Values
+null more

References

CVE-2023-5816
This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance. Gravedad 3.1 (CVSS 3.1 Base Score)

News

Update Thu Oct 31 14:35:57 UTC 2024
Update Thu Oct 31 14:35:57 UTC 2024
CVE-2023-5816
Medium Severity Description The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance. Read more at https://www.tenable.com/cve/CVE-2023-5816
NA - CVE-2023-5816 - The Code Explorer plugin for WordPress is...
The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict...
CVE-2023-5816
This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance. Gravedad 3.1 (CVSS 3.1 Base Score)
Code Explorer <= 1.4.5 - Authenticated (Admin+) External File Reading
Qriouslad - MEDIUM - CVE-2023-5816 The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI