Severity
Medium
Analysis Summary
CVE-2023-4919 CVSS:6.4
iframe plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-4648 CVSS:4.4
WP Customer Reviews Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-46085 CVSS:4.3
Wp Ultimate Review Plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2023-46089 CVSS:4.3
Userback Plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2023-46095 CVSS:5.4
Smooth Scroll Links Plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2023-46067 CVSS:4.3
Rocket Font Plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
Impact
- Cross-Site Scripting
- Information Theft
- Gain Access
Indicators Of Compromise
CVE
- CVE-2023-4919
- CVE-2023-4648
- CVE-2023-46085
- CVE-2023-46089
- CVE-2023-46095
- CVE-2023-46067
Affected Vendors
WordPress
Affected Products
- iframe Plugin for WordPress 4.6
- WP Customer Reviews Plugin for WordPress 3.6.6
- Wp Ultimate Review Plugin for WordPress 2.2.4
- Userback Plugin for WordPress 1.0.13
- Smooth Scroll Links Plugin for WordPress 1.1.0
- Rocket Font Plugin for WordPress 1.2.3
Remediation
Refer to WordPress Plugin Directory for patch, upgrade or suggested workaround information.