CVE-2023-28667 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2023-28667?

CVE-2023-28667 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on WordPress sites running the vulnerable Lead Generated plugin. Attackers can exploit insecure deserialization in the tve_api_form_submit action to achieve remote code execution. All WordPress sites using Lead Generated plugin version 1.23 or earlier are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on WordPress sites running the vulnerable Lead Generated plugin. Attackers can exploit insecure deserialization in the tve_api_form_submit action to achieve remote code execution. All WordPress sites using Lead Generated plugin version 1.23 or earlier are affected.

💻 Affected Systems

Products:

Lead Generated WordPress Plugin

Versions: <= 1.23

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Lead Generated plugin enabled. No special configuration needed for exploitation.

📦 What is this software?

Lead Generated by Leadgenerated

View all CVEs affecting Lead Generated →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to website defacement, data theft, malware distribution, or ransomware deployment.

🟠

Likely Case

Remote code execution allowing attackers to create backdoors, steal sensitive data, or install cryptocurrency miners.

🟢

If Mitigated

Attack blocked at WAF level or plugin disabled, preventing exploitation but potentially breaking functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires a POP chain, but public proof-of-concept exists. Attackers can exploit without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 1.23

Vendor Advisory: https://www.tenable.com/security/research/tra-2023-7

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Lead Generated plugin. 4. Update to latest version. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Lead Generated plugin until patched

wp plugin deactivate lead-generated

WAF rule blocking

all

Block requests containing tve_labels parameter in tve_api_form_submit action

🧯 If You Can't Patch

Disable the Lead Generated plugin immediately
Implement web application firewall rules to block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Lead Generated version number

Check Version:

wp plugin list --name=lead-generated --field=version

Verify Fix Applied:

Confirm plugin version is greater than 1.23 in WordPress admin

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-admin/admin-ajax.php with tve_labels parameter
Unusual PHP error logs mentioning unserialize()

Network Indicators:

HTTP POST requests containing serialized PHP objects in tve_labels parameter

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params CONTAINS "tve_labels"

📊 Metadata

CVE ID: CVE-2023-28667

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: March 22, 2023

Last Updated: February 25, 2025

🔗 References

https://www.tenable.com/security/research/tra-2023-7 Exploit,Third Party Advisory
https://www.tenable.com/security/research/tra-2023-7 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28667, you might also want to check these: