5.4
CVE-2023-4823
- EPSS 0.22%
- Veröffentlicht 31.10.2023 14:15:12
- Zuletzt bearbeitet 23.04.2025 17:16:47
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginWP Meta and Date Remover < 2.2.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via settings
The WP Meta and Date Remover WordPress plugin before 2.2.0 provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site Scripting.
Mögliche Gegenmaßnahme
WP Meta and Date Remover: Update to version 2.2.0, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WP Meta and Date Remover
Version
[*, 2.2.0)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Prasadkirpekar ≫ Wp Meta And Date Remover SwPlatformwordpress Version < 2.2.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.22% | 0.442 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.