PT-2023-17641 · WordPress · Buy Me A Coffee – Button/Widget Plugin
István Márton
+1
·
Published
2023-07-14
·
Updated
2023-07-27
·
CVE-2023-2082
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Buy Me a Coffee – Button and Widget Plugin versions up to, and including, 3.6
Description
The issue arises from insufficient sanitization and escaping on the
text value set via the bmc post reception action, allowing authenticated attackers with subscriber-level permissions and above to inject arbitrary web scripts into pages. These scripts execute whenever a victim accesses a page with the injected scripts.Recommendations
For versions up to, and including, 3.6, update to a version that addresses the insufficient sanitization and escaping issue.
As a temporary workaround, consider restricting access to the
bmc post reception action to minimize the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Buy Me A Coffee – Button/Widget Plugin