Lucene search

[email protected]NVD:CVE-2023-2498

HistoryMay 24, 2023 - 12:15 a.m.

CVE-2023-2498

2023-05-2400:15:09

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-2498

vulnerability

go pricing wordpress

stored cross-site scripting

input sanitization

output escaping

contributor-level attackers

arbitrary web scripts

page injection

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

40.5%

JSON

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.19 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected configurations

Nvd

Node

granthwebgo_pricingRange≤3.3.19wordpress

VendorProductVersionCPE
granthwebgo_pricing*cpe:2.3:a:granthweb:go_pricing:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
granthweb	go_pricing	*	cpe:2.3:a:granthweb:go_pricing::::::wordpress::*

References

codecanyon.net/item/go-pricing-wordpress-responsive-pricing-tables/3725820

www.wordfence.com/threat-intel/vulnerabilities/id/1c3d4c96-63a7-4f3b-a9ac-095be241f840?source=cve