CVE-2023-1119
published 2023-07-10CVE-2023-1119: The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML…
PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.10%
61.5th percentile
The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 5.18.0 < 6.1.47 | 6.1.47 |
| linux | linux_kernel | >= 6.2.0 < 6.4.12 | 6.4.12 |
| srbtranslatin_project | srbtranslatin | < 2.4 | 2.4 |
| updraftplus | wp-optimize | < 3.2.13 | 3.2.13 |
Detection & IOCsextracted from sources · hover to see the quote
urlalert%28document.domain%29
- →HTTP response body contains both 'alert(document.domain)' and 'Search' strings simultaneously, indicating reflected XSS payload execution in WP-Optimize or SrbTransLatin plugin
- →Response Content-Type must be text/html for the XSS to be relevant
- →HTTP 200 status code is expected in a successful XSS probe response
- →The vulnerability arises from a third-party library that removes escaping on some HTML characters, enabling XSS in WP-Optimize before 3.2.13 and SrbTransLatin before 2.4.1 ↗
- ·The Nuclei template digest/signature is present, indicating this is a signed detection template; tampering with the template would invalidate the signature
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
drm/stm: ltdc: fix late dereference check
osv·2025-10-22
CVE-2023-53714 drm/stm: ltdc: fix late dereference check
drm/stm: ltdc: fix late dereference check
In the Linux kernel, the following vulnerability has been resolved:
drm/stm: ltdc: fix late dereference check
In ltdc_crtc_set_crc_source(), struct drm_crtc was dereferenced in a
container_of() before the pointer check. This could cause a kernel panic.
Fix this smatch warning:
drivers/gpu/drm/stm/ltdc.c:1124 ltdc_crtc_set_crc_source() warn: variable dereferenced before check 'crtc' (see line 1119)
GHSA
GHSA-2fmj-pq77-gvj7: The WP-Optimize WordPress plugin before 3
ghsa_unreviewed·2023-07-10
CVE-2023-1119 [MEDIUM] CWE-79 GHSA-2fmj-pq77-gvj7: The WP-Optimize WordPress plugin before 3
The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin through 2.4 use a third-party library that removes the escaping on some HTML characters, leading to a Cross-Site Scripting vulnerability.
VulnCheck
srbtranslatin_project srbtranslatin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2023·CVSS 6.1
CVE-2023-1119 [MEDIUM] srbtranslatin_project srbtranslatin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
srbtranslatin_project srbtranslatin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability.
Affected: srbtranslatin_project srbtranslatin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/wp-optimize/vulnerability/wordpress-wp-optimize-plugin-3-2-13-reflected-xss-vulnerability
Red Hat
kernel: drm/stm: ltdc: fix late dereference check
vendor_redhat·2025-10-22
CVE-2023-53714 kernel: drm/stm: ltdc: fix late dereference check
kernel: drm/stm: ltdc: fix late dereference check
In the Linux kernel, the following vulnerability has been resolved:
drm/stm: ltdc: fix late dereference check
In ltdc_crtc_set_crc_source(), struct drm_crtc was dereferenced in a
container_of() before the pointer check. This could cause a kernel panic.
Fix this smatch warning:
drivers/gpu/drm/stm/ltdc.c:1124 ltdc_crtc_set_crc_source() warn: variable dereferenced before check 'crtc' (see line 1119)
Package: kernel (Red Hat Enterprise Linux 10) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Enterprise Linux 8) - Not affected
Package: kernel-rt (Red Hat Enterprise
No detection rules found.
Nuclei
WP-Optimize WordPress plugin < 3.2.13 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-1119 [MEDIUM] WP-Optimize WordPress plugin < 3.2.13 - Cross-Site Scripting
WP-Optimize WordPress plugin alert%28document.domain%29 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "alert(document.domain)"
- "Search"
condition: and
- type: word
part: body
words:
- text/html
- type: status
status:
- 200
# digest: 4b0a004830460221009771497cc2ef0cb1c4e7cc5c31206d24eb9c720fb51ca492ceb0d7650949da68022100c8c13126dd5ffee81d1c78ffbb49e455d2252c138b01a01d3c6c76ed4d205a61:922c64590222798bb761d5b6d8e72950
arXiv
LLM Agents can Autonomously Exploit One-day Vulnerabilities
arxiv_fulltext·2024-04-17
LLM Agents can Autonomously Exploit One-day Vulnerabilities
## Abstract
LLMs have becoming increasingly powerful, both in their benign and malicious
uses. With the increase in capabilities, researchers have been increasingly
interested in their ability to exploit cybersecurity vulnerabilities. In
particular, recent work has conducted preliminary studies on the ability of LLM
agents to autonomously hack websites. However, these studies are limited to
simple vulnerabilities.
In this work, we show that LLM agents can autonomously exploit one-day
vulnerabilities in real-world systems. To show this, we collected a
dataset of 15 one-day vulnerabilities that include ones categorized as critical
severity in the CVE description. When given the CVE description, GPT-4 is
capable of exploiting 87% of these vulnerabilities compared to 0% for every
other model
Bugzilla
CVE-2023-53714 kernel: drm/stm: ltdc: fix late dereference check
bugzilla·2025-10-22
CVE-2023-53714 CVE-2023-53714 kernel: drm/stm: ltdc: fix late dereference check
CVE-2023-53714 kernel: drm/stm: ltdc: fix late dereference check
In the Linux kernel, the following vulnerability has been resolved:
drm/stm: ltdc: fix late dereference check
In ltdc_crtc_set_crc_source(), struct drm_crtc was dereferenced in a
container_of() before the pointer check. This could cause a kernel panic.
Fix this smatch warning:
drivers/gpu/drm/stm/ltdc.c:1124 ltdc_crtc_set_crc_source() warn: variable dereferenced before check 'crtc' (see line 1119)
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025102213-CVE-2023-53714-6b41@gregkh/T
2023-07-10
Published
Exploited in the wild