PT-2023-31793 · WordPress · Simply Excerpts

Niclo

Published

2023-12-04

Updated

2023-12-07

CVE-2023-5137

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Simply Excerpts WordPress plugin version 1.4 and earlier

Description The Simply Excerpts WordPress plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered html capability is disallowed, for example in a multisite setup.

Recommendations For Simply Excerpts WordPress plugin version 1.4 and earlier, update to a version that sanitizes and escapes fields in the plugin settings to prevent arbitrary web script injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-5137

Affected Products

Simply Excerpts

PT-2023-31793 · WordPress · Simply Excerpts

CVE-2023-5137

Weakness Enumeration

Related Identifiers

Affected Products

References · 7