CVE-2023-45603 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2023-45603?

CVE-2023-45603 has a CVSS score of 9.0 (CRITICAL). This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites using the User Submitted Posts plugin. Attackers can upload malicious files like PHP shells, leading to remote code execution. All WordPress sites with vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites using the User Submitted Posts plugin. Attackers can upload malicious files like PHP shells, leading to remote code execution. All WordPress sites with vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WordPress User Submitted Posts plugin

Versions: All versions up to and including 20230902

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default plugin configuration when file uploads are enabled.

📦 What is this software?

User Submitted Posts by Plugin Planet

View all CVEs affecting User Submitted Posts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover through remote code execution, data theft, defacement, and malware distribution.

🟠

Likely Case

Attackers upload web shells to gain persistent access, then escalate to full server compromise.

🟢

If Mitigated

File uploads are blocked or properly validated, preventing malicious file execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST requests with malicious files can exploit this vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 20230902

Vendor Advisory: https://patchstack.com/database/vulnerability/user-submitted-posts/wordpress-user-submitted-posts-plugin-20230902-unauthenticated-arbitrary-file-upload-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'User Submitted Posts'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable file uploads in plugin

all

Configure plugin to disallow file uploads entirely

Web server file restriction

linux

Block execution of uploaded files in uploads directory

Add to .htaccess in wp-content/uploads: <Files *.php> deny from all </Files>

🧯 If You Can't Patch

Disable or remove the User Submitted Posts plugin immediately
Implement WAF rules to block file uploads to the affected endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → User Submitted Posts version. If version is 20230902 or earlier, you are vulnerable.

Check Version:

wp plugin get user-submitted-posts --field=version

Verify Fix Applied:

Verify plugin version is newer than 20230902 and test file upload functionality with restricted file types.

📡 Detection & Monitoring

Log Indicators:

Multiple file upload attempts to /wp-admin/admin-ajax.php with POST parameter 'usp-file-upload'
Uploads of .php, .phtml, or other executable files to uploads directory

Network Indicators:

HTTP POST requests to admin-ajax.php with file uploads containing unusual file types
Traffic spikes to uploaded files in wp-content/uploads

SIEM Query:

source="web_access.log" AND (uri_path="/wp-admin/admin-ajax.php" AND method="POST" AND (form_data CONTAINS "usp-file-upload" OR user_agent CONTAINS "curl" OR user_agent CONTAINS "wget"))

📊 Metadata

CVE ID: CVE-2023-45603

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: December 20, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45603, you might also want to check these: