Platform
wordpress
Component
wp-responsive-slider-with-lightbox
Fixed in
1.0.1
CVE-2023-5820 is a critical Cross-Site Request Forgery (XSRF) vulnerability affecting the Thumbnail Slider With Lightbox WordPress plugin. This flaw allows unauthenticated attackers to upload arbitrary files by tricking administrators into performing actions. The vulnerability impacts version 1.0 of the plugin. A fix is available in subsequent versions.
An attacker could exploit this XSRF vulnerability to upload malicious files, such as PHP scripts, to the WordPress server. Successful file uploads could lead to remote code execution (RCE), allowing the attacker to gain complete control over the affected WordPress site. This could result in data breaches, website defacement, or the installation of malware. The potential impact is significant, as it could compromise the entire WordPress installation and any sensitive data stored within it.
This vulnerability was publicly disclosed on 2023-10-27. No public proof-of-concept (PoC) code has been identified at the time of writing, but the ease of exploitation makes it a potential target for automated attacks. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.10% (28% percentile)
CVSS Vector
The primary mitigation is to upgrade the Thumbnail Slider With Lightbox plugin to a version that addresses this vulnerability. If upgrading is not immediately possible, consider implementing temporary workarounds such as restricting file upload permissions or implementing stricter input validation on the addedit functionality. Web Application Firewalls (WAFs) can be configured to detect and block malicious XSRF requests. Regularly review WordPress plugin security updates and promptly apply patches.
Update the Thumbnail Slider With Lightbox plugin to a version later than 1.0. This will fix the CSRF vulnerability that allows unauthenticated attackers to upload arbitrary files if they trick an administrator into clicking on a malicious link.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5820 is a Cross-Site Request Forgery (XSRF) vulnerability in the Thumbnail Slider With Lightbox WordPress plugin, allowing attackers to upload files via forged requests.
You are affected if you are using Thumbnail Slider With Lightbox version 1.0. Check your plugin version and upgrade immediately.
Upgrade the Thumbnail Slider With Lightbox plugin to a patched version. If upgrading is not possible, implement temporary workarounds like restricting file upload permissions.
While no public exploits are currently known, the ease of exploitation makes it a potential target for attackers.
Refer to the WordPress plugin repository and the plugin developer's website for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.