CVE-2023-1602

MEDIUM 4.4

CVSS Score

4.4

EPSS Score

0.0%

EPSS Percentile

0th

The Short URL plugin for WordPress is vulnerable to stored Cross-Site Scripting via the 'comment' parameter due to insufficient input sanitization and output escaping in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendor	kaizencoders
Product	short url
Published	Jun 29, 2023
Last Updated	Oct 28, 2024

Stay Ahead of the Next One

Get instant alerts for kaizencoders short url

Be the first to know when new medium vulnerabilities affecting kaizencoders short url are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

kaizencoders / Short URL

1.6.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/a5f29f35-da79-4389-a0a5-a1be0b0b8996?source=cve wordpress.org: https://wordpress.org/plugins/shorten-url/#developers plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/2931815/shorten-url/trunk/shorten-url.php

Credits

Etan Imanol Castro Aldrete