CVE-2023-2113

2023-05-3008:15:09

[email protected]

web.nvd.nist.gov

autoptimize

wordpress

plugin

security

vulnerability

cve-2023-2113

javascript injection

nvd

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

23.7%

JSON

The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users (such as an administrator) to inject arbitrary javascript into the admin panel, even when the unfiltered_html capability is disabled, such as in a multisite setup.

Affected configurations

Vulners

NVD

Node

rapidloadrapidload_power-up_for_autoptimizeRange<3.1.7

VendorProductVersionCPE
rapidloadrapidload_power\-up_for_autoptimize*cpe:2.3:a:rapidload:rapidload_power\-up_for_autoptimize:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rapidload	rapidload_power\-up_for_autoptimize	*	cpe:2.3:a:rapidload:rapidload_power\-up_for_autoptimize::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Autoptimize",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "3.1.7"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]