Back to KEVs

CVE-2023-0159

Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE

Basic Information

CVE State
PUBLISHED
Reserved Date
January 10, 2023
Published Date
February 13, 2023
Last Updated
August 02, 2024
Vendor
Unknown
Product
Extensive VC Addons for WPBakery page builder
Description
The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
Tags
nuclei_scanner

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploit Status

Exploited in the Wild
Yes (2026-04-28 00:00:00 UTC) Source

References

https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2026-04-28 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-0159.yaml 2025-04-25 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel