CVE-2023-6499

2024-02-1216:15:08

[email protected]

web.nvd.nist.gov

cve-2023-6499

wordpress plugin

csrf

stored xss

security vulnerability

nvd

8.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

The lasTunes WordPress plugin through 3.6.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Affected configurations

Vulners

Node

lastunesRange≤3.6.1

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "lasTunes",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThanOrEqual": "3.6.1"
      }
    ],
    "defaultStatus": "affected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]