CVE-2023-4536

high

Description

The My Account Page Editor WordPress plugin before 1.3.2 does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE

References

https://wpscan.com/vulnerability/80e0e21c-9e6e-406d-b598-18eb222b3e3e/

Details

Source: Mitre, NVD

Published: 2024-01-16

Updated: 2025-06-20

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00686