CVE-2023-2321

2023-07-0408:15:10

[email protected]

web.nvd.nist.gov

cve-2023-2321

wordpress

plugin

security

attribute

privilege

admin

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

29.5%

JSON

The WPForms Google Sheet Connector WordPress plugin before 3.4.6, gsheetconnector-wpforms-pro WordPress plugin through 3.4.6 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Affected configurations

Nvd

Node

gsheetconnectorwpforms_google_sheet_connectorRange<3.4.6freewordpress

gsheetconnectorwpforms_google_sheet_connectorRange≤3.4.6prowordpress

VendorProductVersionCPE
gsheetconnectorwpforms_google_sheet_connector*cpe:2.3:a:gsheetconnector:wpforms_google_sheet_connector:*:*:*:*:free:wordpress:*:*
gsheetconnectorwpforms_google_sheet_connector*cpe:2.3:a:gsheetconnector:wpforms_google_sheet_connector:*:*:*:*:pro:wordpress:*:*

Vendor	Product	Version	CPE
gsheetconnector	wpforms_google_sheet_connector	*	cpe:2.3:a:gsheetconnector:wpforms_google_sheet_connector:::::free:wordpress::
gsheetconnector	wpforms_google_sheet_connector	*	cpe:2.3:a:gsheetconnector:wpforms_google_sheet_connector:::::pro:wordpress::