CVE-2023-2767 in File Upload Plugininfo

Summary

by MITRE • 06/09/2023

The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.19.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/10/2026

The vulnerability identified as CVE-2023-2767 affects WordPress File Upload and WordPress File Upload Pro plugins, representing a critical stored cross-site scripting flaw that undermines the security integrity of WordPress installations. This vulnerability specifically targets versions up to and including 4.19.1, where the plugins fail to adequately sanitize user inputs and escape output data within their administrative settings interfaces. The flaw manifests in the way these plugins handle user-supplied data when processing file upload configurations and settings, creating an attack vector that can be exploited by malicious actors with administrator-level privileges or higher.

The technical exploitation of this vulnerability occurs through the manipulation of administrative settings where unfiltered input is accepted and subsequently stored within the WordPress database. When authenticated attackers with administrator permissions modify plugin configurations, they can inject malicious script code that persists in the system's database. This stored malicious content becomes executable whenever any user with appropriate permissions accesses pages that contain the injected script, creating a persistent threat vector that can compromise multiple users within the affected WordPress installation. The vulnerability's impact is particularly severe because it leverages the elevated privileges of administrators to establish a foothold that can later be exploited by other users with lesser permissions.

The operational implications of CVE-2023-2767 extend beyond simple script injection, as it provides attackers with potential access to sensitive administrative functions and user data. In multi-site WordPress installations where the vulnerability is present, the attack surface expands significantly since malicious scripts can be injected into various networked sites. The restriction that only affects installations where unfiltered_html has been disabled actually demonstrates the vulnerability's sophisticated nature, as it requires the system to be configured in a specific way to make the attack possible, yet this configuration is common in enterprise environments. This vulnerability directly maps to CWE-79, which defines cross-site scripting flaws, and aligns with ATT&CK technique T1059.007 for command and scripting interpreter, as attackers can execute malicious scripts that may lead to further system compromise.

Organizations affected by this vulnerability should implement immediate mitigations including updating to the latest plugin versions where the vulnerability has been patched, reviewing administrative user permissions to limit the scope of potential attackers, and implementing robust input validation measures. Security teams should also consider monitoring administrative access logs for suspicious activity and conducting thorough security audits of plugin configurations. The recommended approach involves disabling the affected plugin functionality until patches are applied, implementing network-level protections such as web application firewalls, and establishing proper access controls that limit administrative privileges to only essential personnel. Additionally, organizations should consider implementing security awareness training to prevent social engineering attacks that might attempt to gain administrator access to exploit this vulnerability.

Responsible

Wordfence

Reservation

05/17/2023

Disclosure

06/09/2023

Moderation

accepted

CPE

ready

EPSS

0.00376

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!