CVE-2019-17233
MEDIUM EXPLOITED IN THE WILD NUCLEIUltimate FAQ < 1.8.24 - Unauthenticated HTML Content Injection via Import Function
Title source: llmExploitation Summary
CVE-2019-17233 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). A Nuclei detection template is also available.
Description
Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection.
Nuclei Templates (1)
WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated HTML Content Injection
MEDIUMVERIFIEDby daffainfo
References (3)
Core 3
Core References
Product, Release Notes x_refsource_misc
https://wordpress.org/plugins/ultimate-faqs/#developers
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9883
Exploit, Third Party Advisory x_refsource_misc
https://blog.nintechnet.com/unauthenticated-options-import-vulnerability-in-wordpress-ultimate-faq-plugin/
Scores
CVSS v3
6.1
EPSS
0.0184
EPSS Percentile
76.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
VulnCheck KEV
2022-12-30
InTheWild.io
2023-01-02
CWE
CWE-79
Status
published
Products (1)
etoilewebdesign/ultimate_faq
< 1.8.24
Published
Oct 07, 2019
Tracked Since
Feb 18, 2026