CVE-2023-3129

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
4.8MEDIUM
EPSS
0.3%
top 46.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown URL ShortifyKaizencoders URL Shortify
Timeline
PublishedJul 10
Latest updateSep 18

Description

The URL Shortify WordPress plugin before 1.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/url_shortify< 1.7.0

🔴Vulnerability Details

2
GHSA
GHSA-fj6w-pj39-77x8: The URL Shortify WordPress plugin before 12023-07-10
CVEList
URL Shortify < 1.7.0 - Admin+ Cross Site Scripting2023-07-10

📋Vendor Advisories

1
CISA
Laravel Ignition File Upload Vulnerability2023-09-18
CVE-2023-3129 (MEDIUM CVSS 4.8) | The URL Shortify WordPress plugin b | cvebase.io