Request a Demo
Rewterz Corporate Iftar Dinner 2023
April 6, 2023
Rewterz
Rewterz Threat Advisory – CVE-2023-29017 – Node.js vm2 module Vulnerability
April 7, 2023

Rewterz Threat Advisory – Multiple WordPress Plugin Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2023-23685 CVSS:6.5

WordPress Portfolio Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23681 CVSS:6.5

Image Hover Effects For WPBakery Page Builder Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23686 CVSS:6.5

Simple Staff List Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23821 CVSS:5.9

Interactive Polish Map Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23870 CVSS:5.9

Responsive Vertical Icon Menu Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23978 CVSS:5.9

WP Google Map Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23977 CVSS:6.5

Team Heateor WordPress Social Comments Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Impact

  • Cross-Site Scripting

Indicators Of Compromise

CVE

  • CVE-2023-23685
  • CVE-2023-23681
  • CVE-2023-23686
  • CVE-2023-23821
  • CVE-2023-23870
  • CVE-2023-23978
  • CVE-2023-23977

Affected Vendors

WordPress

Affected Products

  • WordPress Portfolio Plugin for WordPress 2.8.10
  • WordPress Image Hover Effects For WPBakery Page Builder Plugin for WordPress 4.0
  • WordPress Simple Staff List Plugin for WordPress 2.2.2
  • WordPress Interactive Polish Map Plugin for WordPress 1.2
  • WordPress Responsive Vertical Icon Menu Plugin for WordPress 1.5.8
  • WordPress WordPress Plugin for Google Maps 4.3.9
  • Team Heateor WordPress Social Comments Plugin for WordPress 1.6.1

Remediation

Upgrade to the latest version of WordPress Plugins, available from the WordPress Plugin Directory.

CVE-2023-23685

CVE-2023-23681

CVE-2023-23686

CVE-2023-23821

CVE-2023-23870

CVE-2023-23978

CVE-2023-23977