CVE-2023-1381

moderate-risk
Published 2023-04-10

The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution.

Do I need to act?

~
9.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Wp Meta Seo

Affected Vendors

Joomunited

References (4)

Exploit https://blog.wpscan.com/uncovering-a-phar-deserialization-vulnerability-in-wp-me...
Exploit https://wpscan.com/vulnerability/f140a928-d297-4bd1-8552-bfebcedba536
Exploit https://blog.wpscan.com/uncovering-a-phar-deserialization-vulnerability-in-wp-me...
Exploit https://wpscan.com/vulnerability/f140a928-d297-4bd1-8552-bfebcedba536
46
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 11/34 · Low
Exposure 5/34 · Minimal