CVE-2019-17232
HIGH EXPLOITED IN THE WILD NUCLEIUltimate FAQ < 1.8.24 - Unauthenticated Options Import via EWD_UFAQ_Import.php
Title source: llmExploitation Summary
CVE-2019-17232 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). A Nuclei detection template is also available.
Description
Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows unauthenticated options import.
Nuclei Templates (1)
WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated Options Import and Export
HIGHVERIFIEDby daffainfo
Shodan:
http.html:"/wp-content/plugins/ultimate-faqs"
FOFA:
body="/wp-content/plugins/ultimate-faqs"
References (3)
Core 3
Core References
Product, Release Notes x_refsource_misc
https://wordpress.org/plugins/ultimate-faqs/#developers
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9883
Exploit, Third Party Advisory x_refsource_misc
https://blog.nintechnet.com/unauthenticated-options-import-vulnerability-in-wordpress-ultimate-faq-plugin/
Scores
CVSS v3
7.5
EPSS
0.0352
EPSS Percentile
87.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
VulnCheck KEV
2022-12-30
InTheWild.io
2023-01-02
CWE
CWE-306
Status
published
Products (1)
etoilewebdesign/ultimate_faq
< 1.8.24
Published
Oct 07, 2019
Tracked Since
Feb 18, 2026