CVE-2023-2009
published 2023-05-15CVE-2023-2009: Plugin does not sanitize and escape the URL field in the Pretty Url WordPress plugin through 1.5.4 settings, which could allow high-privilege users to perform…
PriorityP421medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EXPLOIT
EPSS
0.82%
52.7th percentile
Plugin does not sanitize and escape the URL field in the Pretty Url WordPress plugin through 1.5.4 settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 6.3.0 < 6.3.6 | 6.3.6 |
| msrc | windows_defender_antimalware_platform | — | — |
| pretty_url_project | pretty_url | <= 1.5.4 | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vendor_redhat8.0HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
net/mlx5e: TC, Fix using eswitch mapping in nic mode
osv·2025-12-30
CVE-2023-54216 net/mlx5e: TC, Fix using eswitch mapping in nic mode
net/mlx5e: TC, Fix using eswitch mapping in nic mode
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: TC, Fix using eswitch mapping in nic mode
Cited patch is using the eswitch object mapping pool while
in nic mode where it isn't initialized. This results in the
trace below [0].
Fix that by using either nic or eswitch object mapping pool
depending if eswitch is enabled or not.
[0]:
[ 826.446057] ==================================================================
[ 826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core]
[ 826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233
[ 826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G W 6.3.0-rc6+ #1
[ 826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BI
GHSA
GHSA-h9hj-4382-6wh4: Plugin does not sanitize and escape the URL field in the Pretty Url WordPress plugin through 1
ghsa_unreviewed·2023-05-15
CVE-2023-2009 [MEDIUM] CWE-79 GHSA-h9hj-4382-6wh4: Plugin does not sanitize and escape the URL field in the Pretty Url WordPress plugin through 1
Plugin does not sanitize and escape the URL field in the Pretty Url WordPress plugin through 1.5.4 settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
No detection rules found.
Nuclei
Pretty Url <= 1.5.4 - Cross-Site Scripting
nuclei·CVSS 4.8
CVE-2023-2009 [MEDIUM] Pretty Url <= 1.5.4 - Cross-Site Scripting
Pretty Url ")'
- 'contains(body_3, "prettyurls")'
condition: and
extractors:
- type: regex
internal: true
name: nonce
part: body
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-z]+)" />'
# digest: 4a0a0047304502206b58449840ee318db85d231466f82d862704d6433586e90aad66301849f4e740022100c176462ffe933b8b3773f586c6e596a8b6ffa427e8ddadafa95e796dded04f0f:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2023-05-15
Published