CVE-2023-4300

HIGH

Import XML and RSS Feeds WordPress Plugin < 2.1.4 - PHP File Upload Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-4300. PoCs published by bde574786.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2023-4300, targeting the Moove XML Importer plugin for WordPress. The exploit leverages insecure AJAX actions to achieve unauthorized post creation and potentially remote code execution.

Description

The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution.

Exploits (1)

nomisec WORKING POC

by bde574786 · poc

https://github.com/bde574786/CVE-2023-4300

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2023-4300, targeting the Moove XML Importer plugin for WordPress. The exploit leverages insecure AJAX actions to achieve unauthorized post creation and potentially remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Moove XML Importer WordPress Plugin

No auth needed

Prerequisites: WordPress installation with vulnerable Moove XML Importer plugin

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42

Scores

CVSS v3 7.2

EPSS 0.0170

EPSS Percentile 74.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

Status published

Products (1)

mooveagency/import_xml_and_rss_feeds < 2.1.4

Published Sep 25, 2023

Tracked Since Feb 18, 2026