Rewterz Corporate Iftar Dinner 2023

April 6, 2023

Rewterz Threat Advisory – CVE-2023-29017 – Node.js vm2 module Vulnerability

April 7, 2023

Rewterz Threat Advisory – Multiple WordPress Plugin Vulnerabilities

April 7, 2023

Severity

Medium

Analysis Summary

CVE-2023-23685 CVSS:6.5

WordPress Portfolio Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23681 CVSS:6.5

Image Hover Effects For WPBakery Page Builder Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23686 CVSS:6.5

Simple Staff List Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23821 CVSS:5.9

Interactive Polish Map Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23870 CVSS:5.9

Responsive Vertical Icon Menu Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23978 CVSS:5.9

WP Google Map Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23977 CVSS:6.5

Team Heateor WordPress Social Comments Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Impact

Cross-Site Scripting

Indicators Of Compromise

CVE

CVE-2023-23685
CVE-2023-23681
CVE-2023-23686
CVE-2023-23821
CVE-2023-23870
CVE-2023-23978
CVE-2023-23977

Affected Vendors

WordPress

Affected Products

WordPress Portfolio Plugin for WordPress 2.8.10
WordPress Image Hover Effects For WPBakery Page Builder Plugin for WordPress 4.0
WordPress Simple Staff List Plugin for WordPress 2.2.2
WordPress Interactive Polish Map Plugin for WordPress 1.2
WordPress Responsive Vertical Icon Menu Plugin for WordPress 1.5.8
WordPress WordPress Plugin for Google Maps 4.3.9
Team Heateor WordPress Social Comments Plugin for WordPress 1.6.1

Remediation

Upgrade to the latest version of WordPress Plugins, available from the WordPress Plugin Directory.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, the Middle East, and Africa – Active IOCs

Strela Stealer Malware Targets Microsoft Outlook Users for Credential Theft – Active IOCs

EncryptHub: A Multi-Stage Malware Breach Impacting 600 Organizations – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us