CVE-2023-5601

9.8

Critical

Published:6 Nov 2023

Last updated:17 Jun 2026

Source:contact@wpscan.com

Modified

Weakness (CWE)

CWE-434Unrestricted File Upload

CVSS Vector

v3.1

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

View on MITRE Find PoC on GitHub

Description

The WooCommerce Ninja Forms Product Add-ons WordPress plugin before 1.7.1 does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE.

References

contact@wpscan.com

https://wpscan.com/vulnerability/0035ec5e-d405-4eb7-8fe4-29dd0c71e4bc

af854a3a-2127-422b-91ae-364da2661108

https://wpscan.com/vulnerability/0035ec5e-d405-4eb7-8fe4-29dd0c71e4bc