Login Sign Up

CVE-2023-4019

8.8 HIGH
Remote Code Execution Authentication Bypass

📋 TL;DR

The Media from FTP WordPress plugin before version 11.17 has an authorization bypass vulnerability that allows users with author-level permissions or higher to move sensitive files like wp-config.php. This could lead to remote code execution by overwriting critical WordPress configuration files. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • WordPress Media from FTP plugin
Versions: All versions before 11.17
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires at least one user with author role or higher. WordPress multisite installations may have different impact.

📦 What is this software?

Media From Ftp by Riverforest Wp

View all CVEs affecting Media From Ftp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full site compromise through remote code execution, allowing attackers to take over the WordPress installation, access databases, and potentially compromise the entire server.

🟠

Likely Case

Unauthorized file movement leading to site defacement, data exposure, or limited code execution through manipulated configuration files.

🟢

If Mitigated

Minimal impact if proper user role management is enforced and file permissions are correctly configured.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires author-level credentials. The vulnerability is publicly documented with proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.17

Vendor Advisory: https://wpscan.com/vulnerability/0d323b07-c6e7-4aba-85bc-64659ad0c85d

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Media from FTP' plugin. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 11.17+ from WordPress.org and replace the plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Media from FTP plugin until patched

wp plugin deactivate media-from-ftp

Restrict user roles

linux

Remove author and editor roles from untrusted users

wp user list --role=author --field=ID | xargs wp user set-role subscriber

🧯 If You Can't Patch

  • Implement strict file permissions on wp-config.php and other sensitive files
  • Monitor and audit user activity, especially file operations by author-level users

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Media from FTP → Version. If version is below 11.17, you are vulnerable.

Check Version:

wp plugin get media-from-ftp --field=version

Verify Fix Applied:

Verify plugin version is 11.17 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized file move operations in WordPress logs
  • wp-config.php modification attempts
  • Plugin activation/deactivation by non-admin users

Network Indicators:

  • POST requests to /wp-admin/admin.php?page=mediafromftp-search-register with file movement parameters

SIEM Query:

source="wordpress" AND (event="file_move" OR event="plugin_modified") AND user_role="author"

📊 Metadata

CVE ID: CVE-2023-4019
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: September 4, 2023
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON