Severity
Medium
Analysis Summary
CVE-2023-25964 CVSS:5.9
We’re Open plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-25978 CVSS:5.9
Protected Posts Logout Button plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-26528 CVSS:5.9
Shipyaari Shipping Management plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-26538 CVSS:5.9
Chat Bee plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-34000 CVSS:7.5
WooCommerce Stripe Payment Gateway plugin for WordPress could allow a remote attacker to obtain sensitive information, caused by a IDOR vulnerability. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
Impact
- Cross-Site Scripting
Indicators Of Compromise
CVE
- CVE-2023-25964
- CVE-2023-25978
- CVE-2023-26528
- CVE-2023-26538
- CVE-2023-34000
Affected Vendors
WordPress
Affected Products
- Were Open! Plugin for WordPress 1.46
- UTM Tracker Plugin for WordPress 1.3.1
- Protected Posts Logout Button Plugin for WordPress 1.4.5
- Shipyaari Shipping Management Plugin for WordPress 1.0
- Chat Bee Plugin for WordPress 1.1.0
- WooCommerce Stripe Payment Gateway plugin for WordPress 7.4.0
Remediation
Upgrade to the latest version of Protected Posts We’re Open! Plugin, available from the WordPress Plugin Directory.