CVE-2023-4536
📋 TL;DR
This vulnerability in the My Account Page Editor WordPress plugin allows authenticated users (even with low privileges like 'subscriber') to upload arbitrary files without validation. Attackers can upload malicious files to achieve remote code execution (RCE) on the server. Any WordPress site using vulnerable versions of this plugin is affected.
💻 Affected Systems
- My Account Page Editor WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary code, install backdoors, steal data, deface websites, or pivot to internal networks.
Likely Case
Website defacement, malware installation, data theft, or use as part of a botnet.
If Mitigated
Limited impact if file uploads are restricted at web server level or if plugin is disabled.
🎯 Exploit Status
Exploitation requires authenticated access but even low-privilege accounts can exploit it. Simple file upload bypass leads to RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.2
Vendor Advisory: https://wpscan.com/vulnerability/80e0e21c-9e6e-406d-b598-18eb222b3e3e/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'My Account Page Editor'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.3.2+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate my-account-page-editor
Restrict File Uploads
linuxConfigure web server to block execution of uploaded files in wp-content/uploads directory.
# Apache: Add to .htaccess in uploads directory:
<FilesMatch "\.(php|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx: Add to server block:
location ~* /wp-content/uploads/.*\.(php|php5|phtml|pl|py|jsp|asp|sh|cgi)$ {
deny all;
}
🧯 If You Can't Patch
- Remove plugin completely from the WordPress installation.
- Implement strict file upload validation at application level for all user inputs.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is below 1.3.2, you are vulnerable.Check Version:
wp plugin get my-account-page-editor --field=versionVerify Fix Applied:
Confirm plugin version is 1.3.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads/ directory from authenticated users
- POST requests to /wp-admin/admin-ajax.php with action related to profile picture upload
- Execution of PHP files from uploads directory
Network Indicators:
- HTTP POST requests with file uploads to WordPress admin endpoints from low-privilege user accounts
- Unexpected outbound connections from web server after file upload
SIEM Query:
source="web_server_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND method="POST" AND user_agent NOT IN ("WordPress/*")) OR (uri_path CONTAINS "/wp-content/uploads/" AND extension IN ("php", "php5", "phtml", "pl", "py", "jsp", "asp", "sh", "cgi"))