CVE-2023-4521: 
WordPress vulnerability analysis and mitigation

The Import XML and RSS Feeds WordPress plugin versions before 2.1.5 contained a critical vulnerability (CVE-2023-4521) that was discovered in August 2023. The vulnerability involves a web shell presence in the plugin that enables unauthenticated attackers to perform Remote Code Execution (RCE). Notably, this vulnerability wasn't due to a compromise of the plugin or vendor but resulted from proof-of-concept files being inadvertently left in the release (WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The technical issue stems from the presence of residual files from a previous proof-of-concept demonstration, specifically related to a previously reported vulnerability. These files enable unauthenticated remote code execution through a web shell accessible at the path '/wp-content/plugins/import-xml-feed/uploads/' (NVD, WPScan).

The vulnerability allows unauthenticated attackers to execute arbitrary code on the affected WordPress installations, potentially leading to complete system compromise. With the highest possible CVSS score for unauthenticated RCE, this vulnerability poses a critical risk to affected websites (NVD).

The vulnerability has been patched in version 2.1.5 of the Import XML and RSS Feeds plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk (WPScan).