CVE-2023-1325
published 2023-04-17CVE-2023-1325: The Easy Forms for Mailchimp WordPress plugin before 6.8.7 does not validate and escape some of its shortcode attributes before outputting them back in a…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.53%
40.7th percentile
The Easy Forms for Mailchimp WordPress plugin before 6.8.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| juniper | junos_os | — | — |
| juniper | srx_series | — | — |
| yikesinc | easy_forms_for_mailchimp | < 6.8.7 | 6.8.7 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5wv2-gf93-pmhf: The Easy Forms for Mailchimp WordPress plugin before 6
ghsa_unreviewed·2023-04-17
CVE-2023-1325 [MEDIUM] CWE-79 GHSA-5wv2-gf93-pmhf: The Easy Forms for Mailchimp WordPress plugin before 6
The Easy Forms for Mailchimp WordPress plugin before 6.8.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Juniper
CVE-2023-28968: An Improperly Controlled Sequential Memory Allocation vulnerability in the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) Application
vendor_juniper·2023-04-17·CVSS 5.3
CVE-2023-28968 [MEDIUM] CWE-1325 CVE-2023-28968: An Improperly Controlled Sequential Memory Allocation vulnerability in the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) Application
CVE-2023-28968: An Improperly Controlled Sequential Memory Allocation vulnerability in the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) Application Signature component of Junos OS's AppID service on SRX Series devices will stop the JDPI-Decoder from identifying dynamic application traffic, allowing an unauthenticated network-based attacker to send traffic to the target device using the JDPI-Decoder, designed to inspect dynamic application traffic and take action upon this traffic, to instead begin to not take action and to pass the traffic through. An example session can be seen by running the following command and evaluating the output. user@device# run show security flow session source-prefix extensive Session ID: , Status: Normal, State: Active Policy name: Dynamic app
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-04-17
Published