CVE-2023-3954

🗓️ 21 Aug 2023 12:29:48Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 44 Views🌐 WEB

The MultiParcels Shipping For WooCommerce plugin before 1.15.4 is vulnerable to Reflected Cross-Site Scriptin

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2023-3954	21 Aug 202320:41	–	circl
CNNVD	WordPress plugin MultiParcels Shipping For WooCommerce 跨站脚本漏洞	21 Aug 202300:00	–	cnnvd
Cvelist	CVE-2023-3954 MultiParcels Shipping For WooCommerce 1.15.2-1.15.3 - Reflected XSS	21 Aug 202312:29	–	cvelist
EUVD	EUVD-2023-44580	3 Oct 202520:07	–	euvd
NVD	CVE-2023-3954	21 Aug 202317:15	–	nvd
OSV	CVE-2023-3954	21 Aug 202317:15	–	osv
Prion	Cross site scripting	21 Aug 202317:15	–	prion
Positive Technologies	PT-2023-27008 · WordPress · Multiparcels Shipping For Woocommerce	21 Aug 202300:00	–	ptsecurity
RedhatCVE	CVE-2023-3954	23 May 202504:11	–	redhatcve
Vulnrichment	CVE-2023-3954 MultiParcels Shipping For WooCommerce 1.15.2-1.15.3 - Reflected XSS	21 Aug 202312:29	–	vulnrichment

NVD

Vulners

Node

multiparcels multiparcels_shipping_for_woocommerceRange<1.15.4wordpress

[
  {
    "vendor": "Unknown",
    "product": "MultiParcels Shipping For WooCommerce",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "1.15.2",
        "lessThan": "1.15.4"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/b463ccbb-2dc1-479f-bc88-becd204b2dc0

Parameter	Position	Path	Description	CWE
_wpnonce	query param	wp-admin/admin-post.php?action=multiparcels_delete_shipping&_wpnonce=<img src onerror=alert(/XSS/)>	Reflected Cross-Site Scripting via _wpnonce parameter in admin-post handling path, could affect admin users	CWE-79

05 May 2025 16:15Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.16.1

EPSS0.0016

SSVC

CWE-79