CVE-2023-1602

Опубликовано: 29 июн. 2023

Источник: nvd

CVSS3: 4.4

CVSS3: 4.8

EPSS Низкий

Описание

The Short URL plugin for WordPress is vulnerable to stored Cross-Site Scripting via the 'comment' parameter due to insufficient input sanitization and output escaping in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Ссылки

https://plugins.trac.wordpress.org/changeset/2931815/shorten-url/trunk/shorten-url.php
Patch
https://wordpress.org/plugins/shorten-url/#developers
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/a5f29f35-da79-4389-a0a5-a1be0b0b8996?source=cve
Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2931815/shorten-url/trunk/shorten-url.php
Patch
https://wordpress.org/plugins/shorten-url/#developers
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/a5f29f35-da79-4389-a0a5-a1be0b0b8996?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:kaizencoders:short_url:*:*:*:*:*:wordpress:*:*

Версия до 1.6.4 (включая)

EPSS

Процентиль: 58%

0.00365

Низкий

4.4 Medium

CVSS3

4.8 Medium

CVSS3

Дефекты

Связанные уязвимости

GHSA-6cxm-7399-4qrp

CVSS3: 4.4

github

больше 2 лет назад

EPSS

Процентиль: 58%

0.00365

Низкий

4.4 Medium

CVSS3

4.8 Medium

CVSS3