CVE-2023-0280

2023-05-0814:15:11

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-0280

ultimate carousel

block options validation

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

23.5%

JSON

The Ultimate Carousel For Elementor WordPress plugin through 2.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Affected configurations

Nvd

Node

topdigitaltrendsultimate_carousel_for_elementorRange≤2.1.7wordpress

VendorProductVersionCPE
topdigitaltrendsultimate_carousel_for_elementor*cpe:2.3:a:topdigitaltrends:ultimate_carousel_for_elementor:*:*:*:*:*:wordpress:*:*