Five Star Business Profile And Schema
Monthly
Remote code execution in the Five Star Business Profile and Schema WordPress plugin (versions up to and including 2.3.19) allows an attacker holding an Editor-level or higher account to inject and execute arbitrary PHP code on the host. Reported by Patchstack and rated CVSS 9.1 due to its scope-changing impact, the flaw turns a trusted content role into full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-94 code-injection root cause makes reliable exploitation straightforward for any authorized high-privilege user.
Remote code execution in the Five Star Business Profile and Schema WordPress plugin (versions up to and including 2.3.19) allows an attacker holding an Editor-level or higher account to inject and execute arbitrary PHP code on the host. Reported by Patchstack and rated CVSS 9.1 due to its scope-changing impact, the flaw turns a trusted content role into full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-94 code-injection root cause makes reliable exploitation straightforward for any authorized high-privilege user.