CVE-2023-3372

2024-01-1616:15:11

CWE-79

WPScan

web.nvd.nist.gov

cve-2023-3372

lana shortcodes

wordpress

plugin

security

xss

stored xss

nvd.

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

Percentile

14.0%

JSON

The Lana Shortcodes WordPress plugin before 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Affected configurations

Nvd

Vulners

Node

lanalana_shortcodesRange<1.2.0wordpress

VendorProductVersionCPE
lanalana_shortcodes*cpe:2.3:a:lana:lana_shortcodes:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
lana	lana_shortcodes	*	cpe:2.3:a:lana:lana_shortcodes::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Lana Shortcodes",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "1.2.0"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]