CVE-2023-4521
CRITICAL NUCLEIImport XML and RSS Feeds WordPress Plugin < 2.1.5 - Web Shell Code Execution
Title source: manualExploitation Summary
CVE-2023-4521 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version.
Nuclei Templates (1)
Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
CRITICALby princechaddha
Shodan:
http.html:"import-xml-feed"
FOFA:
body="import-xml-feed"
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/de2cdb38-3a9f-448e-b564-a798d1e93481
Scores
CVSS v3
9.8
EPSS
0.3955
EPSS Percentile
98.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
Status
published
Products (1)
mooveagency/import_xml_and_rss_feeds
< 2.1.5
Published
Sep 25, 2023
Tracked Since
Feb 18, 2026