CVE-2023-2249

Description

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like wp-config.php hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services.

Wordfence
Severity: HIGH
CVE ID: CVE-2023-2249
CVSS Score: 8.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Refrence: NVD MITRE

Proof Of Concept

ixiacom

Exploit for CVE-2023-2249 in wpForo Forum plugin for WordPress

Refrence: GitHub

Content on GitHub

smash8tap | watchers:0

CVE-2023-22490_PoC

Refrence: GitHub

Description​

Proof Of Concept​

Content on GitHub​

Description

Proof Of Concept

Content on GitHub