CVE-2023-5199
moderate-risk
Published 2023-10-30
The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code on the server. While subscribers may need to poison log files or otherwise get a file installed in order to achieve remote code execution, author and above users can upload files by default and achieve remote code execution easily.
Do I need to act?
~
5.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.9/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Php To Page
Affected Vendors
References (4)
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/83e5a0dc-fc51-4565-945...
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/83e5a0dc-fc51-4565-945...
46
/ 100
moderate-risk
Severity
33/34 · Critical
Exploitability
8/34 · Low
Exposure
5/34 · Minimal