CVE-2023-5054

MEDIUM EXPLOITED

Super Store Finder <6.9.3 - Unauthenticated RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-5054 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The Super Store Finder plugin for WordPress is vulnerable to unauthenticated arbitrary email creation and relay in versions up to, and including, 6.9.3. This is due to insufficient restrictions on the sendMail.php file that allows direct access. This makes it possible for unauthenticated attackers to send emails utilizing the vulnerable site's server, with arbitrary content. Please note that this vulnerability has already been publicly disclosed with an exploit which is why we are publishing the details without a patch available, we are attempting to initiate contact with the developer.

Scores

CVSS v3 5.8
EPSS 0.0054
EPSS Percentile 41.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2023-09-18
CWE
CWE-862
Status published
Products (2)
Super Store Finder/Super Store Finder < 6.9.3
superstorefinder/super_store_finder < 6.9.2
Published Sep 19, 2023
Tracked Since Feb 18, 2026