CVE-2023-2320

2023-07-0408:15:10

[email protected]

web.nvd.nist.gov

cve-2023-2320

nvd

wordpress

plugin

vulnerability

xss

security

admin

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.5%

JSON

The CF7 Google Sheets Connector WordPress plugin before 5.0.2, cf7-google-sheets-connector-pro WordPress plugin through 5.0.2 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Affected configurations

Vulners

NVD

Node

gsheetconnectorcf7_google_sheets_connectorRange<5.0.2

gsheetconnectorcf7_google_sheets_connectorRange≤5.0.2

VendorProductVersionCPE
gsheetconnectorcf7_google_sheets_connector*cpe:2.3:a:gsheetconnector:cf7_google_sheets_connector:*:*:*:*:*:*:*:*
gsheetconnectorcf7_google_sheets_connector*cpe:2.3:a:gsheetconnector:cf7_google_sheets_connector:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gsheetconnector	cf7_google_sheets_connector	*	cpe:2.3:a:gsheetconnector:cf7_google_sheets_connector::::::::
gsheetconnector	cf7_google_sheets_connector	*	cpe:2.3:a:gsheetconnector:cf7_google_sheets_connector::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "CF7 Google Sheets Connector",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "5.0.2"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  },
  {
    "vendor": "Unknown",
    "product": "cf7-google-sheets-connector-pro",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThanOrEqual": "5.0.2"
      }
    ],
    "defaultStatus": "affected"
  }
]