CVE-2023-47840

CRITICAL

Qode Essential Addons < 1.5.2 - Arbitrary Plugin Installation and Activation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-47840. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2023-47840, which leverages a missing capability check in the Qode Essential Addons plugin to allow authenticated users (subscriber+) to install and activate arbitrary WordPress plugins. The script automates login, nonce retrieval, and plugin installation/activation via the WordPress REST API.

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Qode Interactive Qode Essential Addons.This issue affects Qode Essential Addons: from n/a through 1.5.2.

Exploits (1)

nomisec WORKING POC 3 stars
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2023-47840

This repository contains a functional Python exploit for CVE-2023-47840, which leverages a missing capability check in the Qode Essential Addons plugin to allow authenticated users (subscriber+) to install and activate arbitrary WordPress plugins. The script automates login, nonce retrieval, and plugin installation/activation via the WordPress REST API.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Qode Essential Addons plugin for WordPress <= 1.5.2
Auth required
Prerequisites: Valid WordPress credentials (subscriber+) · Target site with vulnerable Qode Essential Addons plugin
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 9.9
EPSS 0.0141
EPSS Percentile 69.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (2)
Qode Interactive/Qode Essential Addons < 1.5.2
qodeinteractive/qode_essential_addons < 1.5.2
Published Dec 29, 2023
Tracked Since Feb 18, 2026