CVE-2023-0165Cross-site Scripting in Cost Calculator

CWE-79Cross-site ScriptingCWE-2644 documents4 sources
Severity
5.4MEDIUMNVD
CISA7.8
EPSS
0.2%
top 60.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nicdark Cost Calculator
Timeline
PublishedMar 6
Latest updateJun 22

Description

The Cost Calculator WordPress plugin through 1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

🔴Vulnerability Details

2
CVEList
Cost Calculator <= 1.8 - Contributor+ Stored XSS2023-03-06
GHSA
GHSA-g7xw-c5fw-fpv5: The Cost Calculator WordPress plugin through 12023-03-06

📋Vendor Advisories

1
CISA
Microsoft Win32k Privilege Escalation Vulnerability2023-06-22
CVE-2023-0165 — Cross-site Scripting in Cost Calculator | cvebase