CVE-2023-1420

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
6.1MEDIUM
EPSS
0.1%
top 64.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Unknown Ajax Search LiteUnknown Ajax Search PROWp-dreams Ajax Search
Timeline
PublishedApr 24

Description

The Ajax Search Lite WordPress plugin before 4.11.1, Ajax Search Pro WordPress plugin before 4.26.2 does not sanitise and escape a parameter before outputting it back in a response of an AJAX action, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

CVEListV5unknown/ajax_search_lite< 4.11.1
NVDwp-dreams/ajax_search< 4.11.1+1
CVEListV5unknown/ajax_search_pro< 4.26.2

🔴Vulnerability Details

2
CVEList
Ajax Search Lite < 4.11.1, Pro < 4.26.2 - Reflected Cross-Site Scripting2023-04-24
GHSA
GHSA-cq3h-xfg9-7523: The Ajax Search Lite WordPress plugin before 42023-04-24
CVE-2023-1420 (MEDIUM CVSS 6.1) | The Ajax Search Lite WordPress plug | cvebase.io