cbcvebase.
CVE-2023-30868
published 2023-05-18

CVE-2023-30868: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Jon Christopher CMS Tree Page View plugin <= 1.6.7 versions.

PriorityP339medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
4.00%
89.2th percentile
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Jon Christopher CMS Tree Page View plugin <= 1.6.7 versions.

Affected

2 ranges
VendorProductVersion rangeFixed in
cms_tree_page_view_projectcms_tree_page_view<= 1.6.7
jon_christophercms_tree_page_viewn/a – 1.6.7

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
path/wp-content/plugins/cms-tree-page-view/
urlhttps://downloads.wordpress.org/plugin/cms-tree-page-view.1.6.6.zip
  • Detect exploitation attempts by monitoring HTTP requests to /wp-admin/edit.php with the 'page=cms-tpv-page-post' parameter combined with script injection payloads in the 'post_type' parameter.
  • Alert on HTTP responses containing both the URL-encoded XSS payload '%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' and the string 'CMS Tree Page View' in the body, with a 200 status code — indicating successful reflection.
  • The vulnerability is triggered via the 'post_type' parameter in the CMS Tree Page View admin page; monitor for unescaped script tags or angle brackets in this parameter.
  • Exploitation requires a prior authenticated POST to /wp-login.php; correlate login events followed immediately by the malicious GET request to /wp-admin/edit.php?page=cms-tpv-page-post.
  • ·The XSS is reflected (not stored); exploitation requires the victim administrator to click a crafted link. The attack surface is limited to authenticated users with administrator privileges or higher.
  • ·The CMS Tree Page View plugin setting 'Select where to show a tree for pages and custom post types' must be enabled for posts for the vulnerable endpoint to be reachable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.