Lucene search

WPScanCVE-2023-0442

HistoryFeb 21, 2023 - 9:15 a.m.

CVE-2023-0442

2023-02-2109:15:12

WPScan

web.nvd.nist.gov

cve-2023-0442

loan comparison

wordpress plugin

security vulnerability

javascript injection

nvd

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

40.8%

JSON

The Loan Comparison WordPress plugin before 1.5.3 does not validate and escape some of its query parameters before outputting them back in a page/post via an embedded shortcode, which could allow an attacker to inject javascript into into the site via a crafted URL.

Affected configurations

Nvd

Vulners

Node

loan_comparison_projectloan_comparisonRange<1.5.3wordpress

VendorProductVersionCPE
loan_comparison_projectloan_comparison*cpe:2.3:a:loan_comparison_project:loan_comparison:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
loan_comparison_project	loan_comparison	*	cpe:2.3:a:loan_comparison_project:loan_comparison::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Loan Comparison",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.5.3"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

References

wpscan.com/vulnerability/34d95d88-4114-4597-b4db-e9f5ef80d322

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

40.8%

JSON

Related for CVE-2023-0442